Add a note that ipfw states do not implicitly match ICMP error messages.

2008-02-07 11:00:42 +00:00 · 2008-02-07 11:00:42 +00:00 · 7d4cb18f11
commit 7d4cb18f11
parent efcf10f47b
1 changed files with 6 additions and 0 deletions
--- a/sbin/ipfw/ipfw.8
+++ b/sbin/ipfw/ipfw.8
@ -2711,3 +2711,9 @@ ipfw nat is not compatible with the tcp segmentation offloading
 (TSO). Thus, to reliably nat your network traffic, please disable TSO
 on your NICs using
 .Xr ifconfig 8 .
+.Pp
+ICMP error messages are not implicitly matched by dynamic rules
+for the respective conversations.
+To avoid failures of network error detection and path MTU discovery,
+ICMP error messages may need to be allowed explicitly through static
+rules.