(OT) Blocking ICMP

Peter Lebbing peter at digitalbrains.com
Thu Oct 8 22:05:39 CEST 2015

On 08/10/15 21:51, Antony Prince wrote:
> I haven't had a single issue with any of the traffic I route through it, so
>  I'm assuming it is fine.

The issue with PMTU discovery only happens when there is a smaller MTU in the
middle of the path from you to another system. This can be a very rare
occurrence depending on your setup.

On the basis of no evidence whatsoever, I suspect that it mostly affects home
users with a PPPoE connection shared between multiple PC's[1]. Not the typical
system you (Antony) would *connect* to yourself and notice the connection stops
working as soon as a system tries to send a big packet.

That's a major part of the problem: the people who block all ICMP packets are
usually not the ones affected by the issue. They never notice, and it's other
people who get the issues when connecting to them.

Just blocking echo-request (or reply) is just a hindrance when debugging
connections, but not a connectivity issue, so you can safely do it if you want to.



[1] Note: you can actually use Jumbo frames[2] to have a shared PPPoE with a
regularly sized MTU. If this is the case, you have no problems.

[2] I'm not entirely sure if an Ethernet frame that is only slightly too large
is properly a Jumbo frame, but it is only a matter of terminology. I like
terminology to be exact, so I still put this in a footnote ;).

I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

More information about the Gnupg-users mailing list