How To Set Up An IP Filter Without Breaking PMTUD
Most problems with Path MTU Discovery arise when IP filters are set to strict. Some people have asked as how certain filters can be configured correctly. On this page we give instruction for some commonly used firewalls.
| IP Filter | Netfilter/IP Tables | Check Point FW-1 4.x |
| Check Point FW-1 Next Generation (5.x) | Cisco IOS | Cisco PIX | Alteon WebOS |
IP Filter
IP Filter will automatically accept ICMP error messages belonging to an existing connection if the keep state option is used:
pass in quick proto tcp from any to any port = 80 flags S keep state
This rule will allow people to access a webserver on or behind the firewall and will allow all traffic related to that TCP session (including related ICMPs) in and out of your network.
If you can't or don't want to use IP Filter's state machine, you can allow the required ICMP packets manually.
For IP Filter to pass destination unreachable, fragmentation needed but don't fragment bit set ICMP messages, put the following lines high enough in your ipf.conf file (before any lines that might block ICMP).
pass in quick proto icmp from any to any icmp-type 3 code 4
pass out quick proto icmp from any to any icmp-type 3 code 4
Netfilter/IP Tables
The IP Tables state module can allow ICMP error messages for an existing connection by using the RELATED keyword after the --state option:
iptables -A input -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
If you can't or don't want to use the state module, you can allow the required ICMP packets manually.
For IP Tables to pass destination unreachable, fragmentation needed but don't fragment bit set ICMP messages, execute the following command for each active chain. Replace CHAIN-name by the name of your chain.
iptables -I CHAIN-name -p ICMP --icmp-type 3/4 -j ACCEPT
Check Point FW-1 4.x
In versions of Check Point FW-1 before NG, you need to explicitly allow ICMP destionation unreachable messages in your rules. Fortunately, there is a predefined service named dest-unreach. If it does not exist in your list of services, create it and make it look like this:
Now simply create the following rule in your Security Policy. Make sure this rule is placed above any other rules dropping or rejecting ICMP.
| Source | Destination | Service | Action |
|---|---|---|---|
| Any | Any | dest-unreach | accept |
Check Point FW-1 Next Generation (5.x)
Check Point Next Generation introduces stateful ICMP inspection. In short, this means that the firewall will match any ICMP message with the state table to see if it might be useful for an existing connection. If so, it is let through. You can enable stateful ICMP inspection by selecting Policy -> Global Properties ->Stateful Inspection -> Accept stateful ICMP errors. You might also want to select Accept stateful ICMP replies but this is not required for Path MTU Discovery to work.
If you do not like/trust stateful ICMP inspection, you can use the method descibed above for Check Point FW-1 4.x. The predefined object is still called dest-unreach but looks a bit different. For even more control you can also create a new object to only allow destination unreachable, fragmentation needed but don't fragment bit set ICMP packets. Create a new ICMP service and make it look like this:
Finally create the following filter rule and place it before any other filters that might drop or reject ICMP.
| Source | Destination | Service | Action |
|---|---|---|---|
| Any | Any | dest-unreach-frag-needed | accept |
Cisco IOS
Cisco routers running the Internet Operation System (IOS), allowing ICMP unreachble messages can be done by using the following syntax in your access-lists:
access-list 100 permit icmp any any unreachable
Of course you will need to change the access-list number to the appropriate list number. Add this line to both your incoming and outgoing filters, placing it before any other lines that might deny ICMP.
Thanks to Jaya Baloo for providing this info.
Cisco PIX
If you are using access-lists to filter traffic on your PIX, refer to the Cisco IOS section above. If you are using conduits however, use this syntax:
conduit permit icmp 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 unreachable
Thanks to Jaya Baloo for providing this info.
Alteon WebOS
Selective ICMP filtering is explained on page 137 of the WebOS 9.0 Application Guide. See also page 213 of the WebOS 9.0 Command Reference. Depending on your configuration, the filter should look something like:
/cfg/slb/filt 1
ena
sip any
dip any
proto icmp
action allow
adv/icmp destun
cache disable
Add this filter (use a low enough filter number) to the appropriate ports.
WebOS 10.x and higher should have a similar syntax.
This page is © Phil Dibowitz 2001 - 2009