On Wed, 2004-09-22 at 16:01, Alistair Tonner wrote:
>
> I can't recall off the top of my head *which* ICMP messages I had to let back
> in ...but they fixed the issue.
ICMP Type 3
technically, they *should* be ICMP Type 3 Code 4: Fragmentation Needed
and Don't Fragment was Set, but i've noticed that some stacks will just
send a type 3 code 0 (net unreachable) or code 1 (host unreachable).
ICMP has gotten a bad rep with firewall guys over the past few years.
it is a Good Thing (tm); IMHO, to allow ICMP Types 3, 11, and 12 through
your firewall to allow the stack to do it's magic ("-m state --state
RELATED" will not magically catch all of these for you).
references:
http://www.iana.org/assignments/icmp-parameters
http://rfc.net/rfc1191.html
-j
--
Jason Opperisano <opie@xxxxxxxxxxx>
