Add a note that ipfw states do not implicitly match ICMP error messages.

svn path=/head/; revision=176084
2008-02-07 11:00:42 +00:00 · 2008-02-07 11:00:42 +00:00 · 5702f0f0a5 · 2020-12-20 02:59:44 +00:00
commit 5702f0f0a5
parent a00672cff9
1 changed files with 6 additions and 0 deletions
--- a/sbin/ipfw/ipfw.8
+++ b/sbin/ipfw/ipfw.8
@ -2711,3 +2711,9 @@ ipfw nat is not compatible with the tcp segmentation offloading
 (TSO). Thus, to reliably nat your network traffic, please disable TSO
 on your NICs using
 .Xr ifconfig 8 .
+.Pp
+ICMP error messages are not implicitly matched by dynamic rules
+for the respective conversations.
+To avoid failures of network error detection and path MTU discovery,
+ICMP error messages may need to be allowed explicitly through static
+rules.