chefren
2007-04-25 23:01:36 UTC
Although it's not well known TCP seriously depends on ICMP packets of
type 3 code 4 for "Path MTU Discovery" (PTMTUD). Blocking of these
packets lead to congested IP connections, broken transmissions and thus
to frustrated users.
Some documentation:
http://en.wikipedia.org/wiki/Pmtud
http://www.usenix.org/events/lisa02/tech/full_papers/vanderberg/vanderberg_html/
http://www.ietf.org/rfc/rfc2923.txt
Various serious solutions:
BSD:
pass quick proto icmp from any to any icmp-type 3 code 4|
Linux:
iptables -I CHAIN-NAME -p ICMP --icmp-type 3/4 -j ACCEPT
Check Point firewalls:
Explicitly allow ICMP type 3 code 4 packets to the servers that use Path
MTU Discovery
A firewall that allows TCP and disallows ICMP type 3 code 4 is a broken
firewall that should be repaired or replaced immediately since it's not
usable for serious TCP traffic.
+++chefren
type 3 code 4 for "Path MTU Discovery" (PTMTUD). Blocking of these
packets lead to congested IP connections, broken transmissions and thus
to frustrated users.
Some documentation:
http://en.wikipedia.org/wiki/Pmtud
http://www.usenix.org/events/lisa02/tech/full_papers/vanderberg/vanderberg_html/
http://www.ietf.org/rfc/rfc2923.txt
Various serious solutions:
BSD:
pass quick proto icmp from any to any icmp-type 3 code 4|
Linux:
iptables -I CHAIN-NAME -p ICMP --icmp-type 3/4 -j ACCEPT
Check Point firewalls:
Explicitly allow ICMP type 3 code 4 packets to the servers that use Path
MTU Discovery
A firewall that allows TCP and disallows ICMP type 3 code 4 is a broken
firewall that should be repaired or replaced immediately since it's not
usable for serious TCP traffic.
+++chefren