Err... *I'm* not filtering ICMP, they are... At a minimum, they *should* allow type 3 The original poster was questioning whether the site was up, since it was unreachable with ICMP. By blocking all ICMP, such things as MTU path discovery are also broken - just like Hotmail.
-----Original Message----- From: owner-nznog(a)list.waikato.ac.nz [mailto:owner-nznog(a)list.waikato.ac.nz]On Behalf Of Don Stokes Sent: Wednesday, 22 August 2001 12:17 To: nznog(a)list.waikato.ac.nz Subject: Re: XTRA network having problems?
"Gordon Smith"
wrote: Site is up. All ICMP is blocked at the border router, instead of just filtering out undesirable ICMP traffic...
If you're really filtering *all* ICMP traffic, you've broken it. Path MTU discovery relies on ICMP fragmentation-required messages getting through, and *lots* of TCP implementations rely on MTU path discovery. It works fine as long as the MTUs are all the same, but when they aren't, or if encapsulation such as ESP or GRE are in use, it doesn't.
ICMP is there for a reason. If you don't know what you're doing, don't touch it.
-- don --------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog
--------- To unsubscribe from nznog, send email to majordomo(a)list.waikato.ac.nz where the body of your message reads: unsubscribe nznog