(Sorry about being a bit off-topic - I think the bit about not blocking
icmp type 3 may be of use to the list)

> Isn't ping ICMP ?
>
> [dantheperson@danski dantheperson]$ ping waitaki.otago.ac.nz
> PING waitaki.otago.ac.nz (139.80.75.140) from 192.168.1.2 : 56(84) bytes
> of data.
>
Indeed. Obviously they let some stuff through.

What I was referring to specifically was ICMP type 3 (destination
unreachable), message 4 (DF set, but fragmentation required). We've had
staff on the far side of a GRE tunnel being unable to ftp to ftp servers
at otago due to those ICMP messages never being allowed through (or back
from) the ftp server. This means that any full length packets (ie,
anything over 1476 bytes) get dropped. Unless path mtu blackhole
detection happens to work, the ftp fails.

It's nearly always a bad idea to block icmp type 3, since it is needed
whenever there is a section in the path that has a lower MTU than at the
end points.

> As of last november they do block all incoming traffic unless you
> specifically request your machine be excluded from the block. So this
> could be a problem for you if the machine is indeed at the university
> and no one has requested ITS to allow incoming traffic for your ASIP
> server.

The FTP server above allowed the initial connections to ftp-date and
ftp-control, but as soon as the first full-size packet went through, it
failed.

Anyway, that was a few months ago, and the user was going to follow it
up themselves with otago, so I don't know what happened with it.

-- 
This message is part of the NZ ADSL mailing list. 
see http://unixathome.org/adsl/ for archives, FAQ, 
and various documents. 
To unsubscribe: send mail to majordomo@lists.unixathome.org 
with "unsubscribe adsl" in the body of the message