NAT, ICMP filtered, congestion troubles?

NAT, ICMP filtered, congestion troubles?

[Marco Gaiarin]

In my organization the default firewall block all traffic from clients,
that can access the Internet only via proxy.
ALL traffic get blocked, ICMP too. IPv4, so client get NATted.

Recently i've had to add a 'pinhole' to access an external mail server
(SMTP and IMAP), and i've enabled only that TCP port.
AFAIK, congestion avoidance are handled by the firewall, not
the internal/natted host.


Because we are suffering some troubles (mostly: random disconnection;
tshark display many duplicated packet), i'm rethinking that, at least
as hypotesis.


Permitting TCP connection but blocking ICMP (and other protos) from an
internal network, natted, to an external site, could lead to trouble?


Thanks.

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''                    http://www.sv.lnf.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
    http://www.lanostrafamiglia.it/25/index.php/component/k2/item/123
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

Re: NAT, ICMP filtered, congestion troubles?

[Rick Jones]

On 12/04/2015 01:37 AM, Marco Gaiarin wrote:
> AFAIK, congestion avoidance are handled by the firewall, not
> the internal/natted host.

Does it?  I would think that the NAT/firewall would be maintaining only 
the state needed to perform the address translations, leaving the 
congestion avoidance (and response to the likes of say an ICMP 
Destination Unreachable, Fragmentation Needed and DF set) to the 
"actual" TCP endpoint.

rick jones

Re: NAT, ICMP filtered, congestion troubles?

[Marco Gaiarin]

Mandi! Rick Jones
  In chel di` si favelave...

> Does it?  I would think that the NAT/firewall would be maintaining
> only the state needed to perform the address translations, leaving
> the congestion avoidance (and response to the likes of say an ICMP
> Destination Unreachable, Fragmentation Needed and DF set) to the
> "actual" TCP endpoint.

Ok, good to know.

So, practically speaking, at least for TCP connection, it is better
to ALWAYS ''open'' ICMP packets alongside TCP packets.

Right?

-- 
dott. Marco Gaiarin				        GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''                    http://www.sv.lnf.it/
  Polo FVG   -   Via della Bontà, 7 - 33078   -   San Vito al Tagliamento (PN)
  marco.gaiarin(at)lanostrafamiglia.it   t +39-0434-842711   f +39-0434-842797

		Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA!
    http://www.lanostrafamiglia.it/25/index.php/component/k2/item/123
	(cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)

Re: NAT, ICMP filtered, congestion troubles?

[Rick Jones]

On 12/14/2015 03:29 AM, Marco Gaiarin wrote:
> So, practically speaking, at least for TCP connection, it is better
> to ALWAYS ''open'' ICMP packets alongside TCP packets.
>
> Right?

Well, that is my opinion.  To leverage the phrase, that, and a couple 
euros will get you an espresso.

There are others who hold a different opinion.

rick jones
speaking for myself alone