Disadvantages of sending icmp error packets, Configuration procedure, Setting the packet forwarding mode – H3C Technologies H3C SecPath F1000-E User Manual

20

{

When forwarding a packet, if the MTU of the sending interface is smaller than the packet, but

the packet has been set as "Don't Fragment", the firewall will send the source a "fragmentation
needed and Don't Fragment (DF)-set" ICMP error packet.

Disadvantages of sending ICMP error packets

Sending ICMP error packets facilitates network control and management, but it has the following

disadvantages:

•

Increases network traffic.

•

A device's performance degrades if it receives a lot of malicious packets that cause it to respond
with ICMP error packets.

•

A host's performance degrades if the redirection function increases the size of its routing table.

•

End users are affected because of receiving ICMP destination unreachable packets caused by
malicious users.

To prevent such problems, disable the firewall from sending ICMP error packets.

Configuration procedure

To enable sending of ICMP error packets:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enable sending of ICMP redirect
packets.

ip redirects enable

Disabled by default

3.

Enable sending of ICMP timeout

packets.

ip ttl-expires enable

Disabled by default

4.

Enable sending of ICMP destination
unreachable packets.

ip unreachables enable

Disabled by default

NOTE:

When sending ICMP timeout packets is disabled, the firewall will not send "TTL timeout" ICMP error
packets. However, "reassembly timeout" error packets will be sent normally.

Setting the packet forwarding mode

The device supports the following packet forwarding modes:

•

per-flow—Packets are forwarded in sequence. Use this forwarding mode if the services require

packets to arrive in sequence.

•

per-packet—Packets are forwarded out of order.

To set the packet forwarding mode:

Step Command

Remarks

1.

Enter system view.

system-view

N/A