Sign in with
Sign up | Sign in
Your question

ICMP Firewall Rules

Last response: in Networking
Share
May 6, 2004 3:24:47 AM

Archived from groups: comp.security.firewalls (More info?)

I have always been uncertain how to set firewall rules for ICMP.
Sure could use some help. Which of the following should be:
(1) allowed incoming (2) allowed outgoing (3) allowed both
incoming and outgoing.
ICMP 0 echo reply
ICMP 8 echo request
ICMP 3 destination unreachable
ICMP 10 router solicitation
ICMP 11 time exceeded for datagram

Are there any others that should be added to the list?
Thanks
casey

More about : icmp firewall rules

Anonymous
a b 8 Security
May 6, 2004 3:24:48 AM

Archived from groups: comp.security.firewalls (More info?)

In article <MPG.1b033383852cd9af98971f@news.west.earthlink.net>,
casey@nosuch.net says...
>
> I have always been uncertain how to set firewall rules for ICMP.
> Sure could use some help. Which of the following should be:
> (1) allowed incoming (2) allowed outgoing (3) allowed both
> incoming and outgoing.
> ICMP 0 echo reply
> ICMP 8 echo request
> ICMP 3 destination unreachable
> ICMP 10 router solicitation
> ICMP 11 time exceeded for datagram
>
> Are there any others that should be added to the list?
> Thanks
> casey
>
Generally all you need to do is Allow 0, 11 In. And 8 Out. Some people
also allow 3 In/Out but there seems to be alot of disagreement on this.
I currently deny 3 in both directions. That could be wrong though...
--
Kerodo
Anonymous
a b 8 Security
May 6, 2004 4:02:13 AM

Archived from groups: comp.security.firewalls (More info?)

On Wed, 5 May 2004 16:43:20 -0700, Kerodo
<kerodo~nospam~kenny@hotmail.com> wrote:

>In article <MPG.1b033383852cd9af98971f@news.west.earthlink.net>,
>casey@nosuch.net says...
>>
>> I have always been uncertain how to set firewall rules for ICMP.
>> Sure could use some help. Which of the following should be:
>> (1) allowed incoming (2) allowed outgoing (3) allowed both
>> incoming and outgoing.
>> ICMP 0 echo reply
>> ICMP 8 echo request
>> ICMP 3 destination unreachable
>> ICMP 10 router solicitation
>> ICMP 11 time exceeded for datagram
>>
>> Are there any others that should be added to the list?
>> Thanks
>> casey
>>
>Generally all you need to do is Allow 0, 11 In. And 8 Out. Some people
>also allow 3 In/Out but there seems to be alot of disagreement on this.
>I currently deny 3 in both directions. That could be wrong though...


I may be wrong too ... but I found I had more ping traffic by allowing
3 out ...
!