> >   By the transparency rule, a packet-filtering router acting as a
> >   firewall which permits outgoing IP packets with the Don't Fragment
> >   (DF) bit set MUST NOT block incoming ICMP Destination Unreachable /
> >   Fragmentation Needed errors sent in response to the outbound packets
> >   from reaching hosts inside the firewall, as this would break the
> >   standards-compliant usage of Path MTU discovery by hosts generating
> >   legitimate traffic.
> 
> i think the use of "outgoing" and "incoming" here is probably enough
> for people to insist that they're not doing anything wrong.  after
> all, it says nothing about incoming traffic with the DF bit or
> outgoing ICMP messages, which is usually where the problem is.

This would only be a problem if the bottleneck is *inside* the
firewall.

In practice the problems occur with configurations looking like:

          	inside          outside
	web server === firewall ============= t1 ---- t2 ======  client


'=' is 1500 byte MTU
'-' is smaller MTU

In this case, the web server is sending out DF packets of size 1500
bytes; t1 sends back a "frag needed" ICMP, which is being dropped by
the firewall.

Large packets sent by "client" wind up hitting the bottleneck at t2,
get the "frag neededs" and adapt.

If t1/t2 are buggy and don't send the "frag needed" errors, that's
another matter entirely (not a firewall bug).

						- Bill