(OT) Blocking ICMP (was: Re: ?: keys.gnupg.net: Host not found)

Peter Lebbing peter at digitalbrains.com
Thu Oct 8 21:45:23 CEST 2015

On 08/10/15 21:26, Antony Prince wrote:
> I host a server in this pool and it is set to drop all IPv4 ICMP packets

I hope you mean specifically dropping all ICMP echo-request packets, not all
ICMP packets. Because some ICMP packets are *essential* for proper functioning
of your internet connection, like path MTU discovery. Systems behind firewalls
that drop all ICMP packets can never properly do path MTU discovery, and this
is nicely reflected in the man page for the iptables cludge that prevents most
PMTU blackhole issues:

> TCPMSS [...]
> This  target  is  used to overcome criminally braindead ISPs or servers
> which block "ICMP Fragmentation Needed" or "ICMPv6 Packet Too  Big"
> packets.   The symptoms of this problem are that everything works fine from
> your Linux fire‐ wall/router, but machines behind it can never exchange
> large packets: [...]

And PMTU discovery is not the only thing affected by blocking all ICMP, but
it's a biggy.



PS: It is referring to "working fine from your router" because this target is
for the router where the "pipe" so to say becomes "smaller": a small MTU in
between larger MTU's. The router is aware of the small MTU, but other systems
are not, which is why only the router works properly, provided the small MTU
is the smallest on the path.

I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

More information about the Gnupg-users mailing list