>> i think the use of "outgoing" and "incoming" here is probably enough
>> for people to insist that they're not doing anything wrong.  after
>> all, it says nothing about incoming traffic with the DF bit or
>> outgoing ICMP messages, which is usually where the problem is.
>
>This would only be a problem if the bottleneck is *inside* the
>firewall.
>
>In practice the problems occur with configurations looking like:
>
>          	inside          outside
>	web server === firewall ============= t1 ---- t2 ======  client
>
>
>'=' is 1500 byte MTU
>'-' is smaller MTU
>
>In this case, the web server is sending out DF packets of size 1500
>bytes; t1 sends back a "frag needed" ICMP, which is being dropped by
>the firewall.

which could just as easily be a situation like this:

                    outside          inside
      client ============== firewall ==== t1 ---- t2 ==== web server

>Large packets sent by "client" wind up hitting the bottleneck at t2,
>get the "frag neededs" and adapt.

...so that large packets from the client wind up getting dropped and
no notification makes it back to the client.

>If t1/t2 are buggy and don't send the "frag needed" errors, that's
>another matter entirely (not a firewall bug).

of course.

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
andrew@crossbar.com       * "information is power -- share the wealth."