From nobody@www.freebsd.org  Tue Jun 18 21:46:43 2002
Return-Path: <nobody@www.freebsd.org>
Received: from nwww.freebsd.org (www.FreeBSD.org [216.136.204.117])
	by hub.freebsd.org (Postfix) with ESMTP id EE42D37B40C
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 18 Jun 2002 21:46:42 -0700 (PDT)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by nwww.freebsd.org (8.12.2/8.12.2) with ESMTP id g5J4kghG077614
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 18 Jun 2002 21:46:42 -0700 (PDT)
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.2/8.12.2/Submit) id g5J4kgIo077613;
	Tue, 18 Jun 2002 21:46:42 -0700 (PDT)
Message-Id: <200206190446.g5J4kgIo077613@www.freebsd.org>
Date: Tue, 18 Jun 2002 21:46:42 -0700 (PDT)
From: Yusuf Goolamabbas <yusufg@outblaze.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: firewall man page should allow ICMP type 3 messages
X-Send-Pr-Version: www-1.0

>Number:         39495
>Category:       docs
>Synopsis:       firewall man page should allow ICMP type 3 messages
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-doc
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jun 18 21:50:01 PDT 2002
>Closed-Date:    Mon Jun 24 21:15:17 PDT 2002
>Last-Modified:  Mon Jun 24 21:15:17 PDT 2002
>Originator:     Yusuf Goolamabbas
>Release:        4.5-RELEASE
>Organization:
>Environment:
>Description:
firewall(7) has a paragraph about which ICMP packets to allow and what they do etc

The rule described there
add 04000 allow icmp from any to any icmptypes 0,5,8,11,12,13,14

This does not allow icmp type 3 message which will lead to Path MTU Discovery issues.

IMHO, The example rule should be changed to

add 04000 allow icmp from any to any icmptypes 0,3,8,11,12,13,14

Type 5 = Redirect is fairly dangerous and somebody might just cut/paste from the firewall manpage. 


     
>How-To-Repeat:
      
>Fix:
      
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: dillon 
State-Changed-When: Mon Jun 24 21:08:22 PDT 2002 
State-Changed-Why:  
Whops, ok, the firewall man page is fixed in the tree now in regards 
to TCP MTU discovery requiring ICMP type 3 packets to be let through. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=39495 
>Unformatted:
