>   By the transparency rule, a packet-filtering router acting as a
>   firewall which permits outgoing IP packets with the Don't Fragment
>   (DF) bit set MUST NOT block incoming ICMP Destination Unreachable /
>   Fragmentation Needed errors sent in response to the outbound packets
>   from reaching hosts inside the firewall, as this would break the
>   standards-compliant usage of Path MTU discovery by hosts generating
>   legitimate traffic.

i think the use of "outgoing" and "incoming" here is probably enough
for people to insist that they're not doing anything wrong.  after
all, it says nothing about incoming traffic with the DF bit or
outgoing ICMP messages, which is usually where the problem is.

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
andrew@crossbar.com       * "information is power -- share the wealth."