MSS Initiative

What's Here Other Links

How To Set Up An IP Filter Without Breaking PMTUD

Most problems with Path MTU Discovery arise when IP filters are set to strict. Some people have asked as how certain filters can be configured correctly. On this page we give instruction for some commonly used firewalls.

| IP Filter | Netfilter/IP Tables | Check Point FW-1 4.x |
| Check Point FW-1 Next Generation (5.x) | Cisco IOS | Cisco PIX | Alteon WebOS |

IP Filter

IP Filter will automatically accept ICMP error messages belonging to an existing connection if the keep state option is used:

pass in quick proto tcp from any to any port = 80 flags S keep state

This rule will allow people to access a webserver on or behind the firewall and will allow all traffic related to that TCP session (including related ICMPs) in and out of your network.

If you can't or don't want to use IP Filter's state machine, you can allow the required ICMP packets manually.

For IP Filter to pass destination unreachable, fragmentation needed but don't fragment bit set ICMP messages, put the following lines high enough in your ipf.conf file (before any lines that might block ICMP).

pass in quick proto icmp from any to any icmp-type 3 code 4
pass out quick proto icmp from any to any icmp-type 3 code 4

Netfilter/IP Tables

The IP Tables state module can allow ICMP error messages for an existing connection by using the RELATED keyword after the --state option:

iptables -A input -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

If you can't or don't want to use the state module, you can allow the required ICMP packets manually.

For IP Tables to pass destination unreachable, fragmentation needed but don't fragment bit set ICMP messages, execute the following command for each active chain. Replace CHAIN-name by the name of your chain.

iptables -I CHAIN-name -p ICMP --icmp-type 3/4 -j ACCEPT

Check Point FW-1 4.x

In versions of Check Point FW-1 before NG, you need to explicitly allow ICMP destionation unreachable messages in your rules. Fortunately, there is a predefined service named dest-unreach. If it does not exist in your list of services, create it and make it look like this:

Checkpoint

Now simply create the following rule in your Security Policy. Make sure this rule is placed above any other rules dropping or rejecting ICMP.

Source Destination Service Action
Any Any dest-unreach accept

Check Point FW-1 Next Generation (5.x)

Check Point Next Generation introduces stateful ICMP inspection. In short, this means that the firewall will match any ICMP message with the state table to see if it might be useful for an existing connection. If so, it is let through. You can enable stateful ICMP inspection by selecting Policy -> Global Properties ->Stateful Inspection -> Accept stateful ICMP errors. You might also want to select Accept stateful ICMP replies but this is not required for Path MTU Discovery to work.

Checkpoint

If you do not like/trust stateful ICMP inspection, you can use the method descibed above for Check Point FW-1 4.x. The predefined object is still called dest-unreach but looks a bit different. For even more control you can also create a new object to only allow destination unreachable, fragmentation needed but don't fragment bit set ICMP packets. Create a new ICMP service and make it look like this:

Checkpoint

Finally create the following filter rule and place it before any other filters that might drop or reject ICMP.

Source Destination Service Action
Any Any dest-unreach-frag-needed accept

Cisco IOS

Cisco routers running the Internet Operation System (IOS), allowing ICMP unreachble messages can be done by using the following syntax in your access-lists:

access-list 100 permit icmp any any unreachable

Of course you will need to change the access-list number to the appropriate list number. Add this line to both your incoming and outgoing filters, placing it before any other lines that might deny ICMP.

Thanks to Jaya Baloo for providing this info.

Cisco PIX

If you are using access-lists to filter traffic on your PIX, refer to the Cisco IOS section above. If you are using conduits however, use this syntax:

conduit permit icmp 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 unreachable

Thanks to Jaya Baloo for providing this info.

Alteon WebOS

Selective ICMP filtering is explained on page 137 of the WebOS 9.0 Application Guide. See also page 213 of the WebOS 9.0 Command Reference. Depending on your configuration, the filter should look something like:


/cfg/slb/filt 1
    ena
    sip any
    dip any
    proto icmp
    action allow
    adv/icmp destun
    cache disable

Add this filter (use a low enough filter number) to the appropriate ports.

WebOS 10.x and higher should have a similar syntax.


Valid XHTML 1.0

This page is © Phil Dibowitz 2001 - 2009