Re: redhat-config-securitylevel vs redhat-config-firewall?

[Alan Cox <alan redhat com>]

> My understanding is that RELATED should catch and allow all ICMP error
> messages "related" to current, valid connections. This included ICMP
> "need to fragment" messages.

ICMP messages can arise from midstream routers. In that situation you can't
do useful filtering really. Its a problem for ipsec where the router is
untrusted by the security policy yet to ignore it might lose your
connection.