ICMP Firewall Rules

Archived from groups: comp.security.firewalls (More info?)

I have always been uncertain how to set firewall rules for ICMP.
Sure could use some help. Which of the following should be:
(1) allowed incoming (2) allowed outgoing (3) allowed both
incoming and outgoing.
ICMP 0 echo reply
ICMP 8 echo request
ICMP 3 destination unreachable
ICMP 10 router solicitation
ICMP 11 time exceeded for datagram

Are there any others that should be added to the list?
Thanks
casey
2 answers Last reply
More about icmp firewall rules
  1. Archived from groups: comp.security.firewalls (More info?)

    In article <MPG.1b033383852cd9af98971f@news.west.earthlink.net>,
    casey@nosuch.net says...
    >
    > I have always been uncertain how to set firewall rules for ICMP.
    > Sure could use some help. Which of the following should be:
    > (1) allowed incoming (2) allowed outgoing (3) allowed both
    > incoming and outgoing.
    > ICMP 0 echo reply
    > ICMP 8 echo request
    > ICMP 3 destination unreachable
    > ICMP 10 router solicitation
    > ICMP 11 time exceeded for datagram
    >
    > Are there any others that should be added to the list?
    > Thanks
    > casey
    >
    Generally all you need to do is Allow 0, 11 In. And 8 Out. Some people
    also allow 3 In/Out but there seems to be alot of disagreement on this.
    I currently deny 3 in both directions. That could be wrong though...
    --
    Kerodo
  2. Archived from groups: comp.security.firewalls (More info?)

    On Wed, 5 May 2004 16:43:20 -0700, Kerodo
    <kerodo~nospam~kenny@hotmail.com> wrote:

    >In article <MPG.1b033383852cd9af98971f@news.west.earthlink.net>,
    >casey@nosuch.net says...
    >>
    >> I have always been uncertain how to set firewall rules for ICMP.
    >> Sure could use some help. Which of the following should be:
    >> (1) allowed incoming (2) allowed outgoing (3) allowed both
    >> incoming and outgoing.
    >> ICMP 0 echo reply
    >> ICMP 8 echo request
    >> ICMP 3 destination unreachable
    >> ICMP 10 router solicitation
    >> ICMP 11 time exceeded for datagram
    >>
    >> Are there any others that should be added to the list?
    >> Thanks
    >> casey
    >>
    >Generally all you need to do is Allow 0, 11 In. And 8 Out. Some people
    >also allow 3 In/Out but there seems to be alot of disagreement on this.
    >I currently deny 3 in both directions. That could be wrong though...


    I may be wrong too ... but I found I had more ping traffic by allowing
    3 out ...
Ask a new question

Read More

Firewalls Security Networking