Add a note that ipfw states do not implicitly match ICMP error messages.

author: yar <yar@FreeBSD.org> 2008-02-07 11:00:42 +0000
committer: yar <yar@FreeBSD.org> 2008-02-07 11:00:42 +0000
commit: 7d4cb18f1121718e503b4d3a9d8f524a29f238ff (patch)
tree: 23a8b53fa85af1225910b96bb8276510edeeeab3 /sbin/ipfw/ipfw.8
parent: efcf10f47baa709a11c4c4c07dfe44573aa4f0f6 (diff)
download: FreeBSD-src-7d4cb18f1121718e503b4d3a9d8f524a29f238ff.zip
FreeBSD-src-7d4cb18f1121718e503b4d3a9d8f524a29f238ff.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8
index 2c175ed..67ed262 100644
--- a/sbin/ipfw/ipfw.8
+++ b/sbin/ipfw/ipfw.8
@@ -2711,3 +2711,9 @@ ipfw nat is not compatible with the tcp segmentation offloading
 (TSO). Thus, to reliably nat your network traffic, please disable TSO
 on your NICs using
 .Xr ifconfig 8 .
+.Pp
+ICMP error messages are not implicitly matched by dynamic rules
+for the respective conversations.
+To avoid failures of network error detection and path MTU discovery,
+ICMP error messages may need to be allowed explicitly through static
+rules.
author	yar <yar@FreeBSD.org>	2008-02-07 11:00:42 +0000
committer	yar <yar@FreeBSD.org>	2008-02-07 11:00:42 +0000
commit	7d4cb18f1121718e503b4d3a9d8f524a29f238ff (patch)
tree	23a8b53fa85af1225910b96bb8276510edeeeab3 /sbin/ipfw/ipfw.8
parent	efcf10f47baa709a11c4c4c07dfe44573aa4f0f6 (diff)
download	FreeBSD-src-7d4cb18f1121718e503b4d3a9d8f524a29f238ff.zip FreeBSD-src-7d4cb18f1121718e503b4d3a9d8f524a29f238ff.tar.gz