From 5702f0f0a50c5a136d233ee379d71aeba0893325 Mon Sep 17 00:00:00 2001 From: Yaroslav Tykhiy Date: Thu, 7 Feb 2008 11:00:42 +0000 Subject: [PATCH] Add a note that ipfw states do not implicitly match ICMP error messages. --- sbin/ipfw/ipfw.8 | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index 2c175ed020bb..67ed26225d04 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -2711,3 +2711,9 @@ ipfw nat is not compatible with the tcp segmentation offloading (TSO). Thus, to reliably nat your network traffic, please disable TSO on your NICs using .Xr ifconfig 8 . +.Pp +ICMP error messages are not implicitly matched by dynamic rules +for the respective conversations. +To avoid failures of network error detection and path MTU discovery, +ICMP error messages may need to be allowed explicitly through static +rules.