[FUGSPBR] Bloquear ICMP

Jean M. Duarte jmd em jrp-cal.com.br
Seg Jul 22 17:51:09 BRT 2002


Ola Pessoal,

Olha estou com um problema com o Pessoal da Braslink.com, onde os clientes
que estao em baixo da minha rede(firewall e nat), nao conseguem acessar o
WebMail
deles e acorrem alguns outros erros malucos, time out em banco de dados, nao
consegue abrir algumas paginas e etc.

Hoje eu nao deixo passar pacotes ICMP´s de fora para dentro de minha rede,
apenas claro aqueles que eu solicitei (resposta) eu deixo.

O pessoal da Braslink, me passou este texto a baixo, que nao entendi muito
bem, mas
que fala se filtramos o ICMP, pode causar problemas como esse meu, onde
os server se perdem no meio do caminho.

Eu tambem nao deixo passar pacotes fragmentados na minha rede...

O que eh esse PMTU-D ?
Essa fato eh veridico, se for que tipo de ping eu posso liberar?

Thanks
Jean Duarte


Now, to the problem with ICMP filtering and PMTU-D
Now we get to the problem. Many network administrators have decided to
filter ICMP at a router or firewall.
There are valid (and many invalid) reasons for doing this, however it can
cause problems. ICMP is an integral
part of the Internet and can not be filtered without due consideration for
the effects.
In this case, if the ICMP can't fragment errors can not get back to the
source host due to a filter, the host will
never know that the packets it is sending are too large. This means it will
keep trying to send the same large packet,
and it will keep being dropped--silently dropped from the view of any system
on the other side of the filter. While a
small handful of systems that implement PMTU-D also implement a way to
detect such situations, mo
st don't and even for those that do it has a negative impact on performance
and the network.
If this is happening, typical symptoms include the ability for small packets
(eg. request a very small web page) to
get through, but larger ones (eg. a large web page) will simply hang. This
situation can be confusing to the novice
administrator because they obviously have some connectivity to the host, but
it just stops working for no obvious
reason on certain transfers.


________________________________________________
Para sair da lista visite o URL abaixo:
http://www2.fugspbr.org/mailman/listinfo/fugspbr



Mais detalhes sobre a lista de discussão freebsd