ICMP Packets.

Bennett Todd bet@rahul.net
Tue, 2 Jun 1998 07:47:54 -0700


> 1998-06-01 Toddb:
> > . . .Is there a list of ICMP message types that are needed
> > as opposed to ones that are just used for troubleshooting
> > (like echo, echo-reply) that can be blocked without
> > problems.
> 
> Forget the list . . . as it has been said by MANY that have
> said it before, if you don't need it, block it, both ways.

So he asked for the list of ICMP message types that _are_ needed, and
gave an example ``packet-too-big'' (in part of the text you didn't
quote). There are some ICMP packets that you do need to let in, lest
path MTU discovery break (and maybe some other things?).

I am also interested in the answer to this question: what ICMP packet
types do you need to allow through the filters, to help ensure that
other protocols work right?

I'm rassling with this right now myself; I'm trying to craft up a set of
ipfilter rules that are as utterly strict as possible; I'm hoping for a
baseline bastion host config where everything is allowed out, but
initially the only thing allowed in is port 22/tcp (ssh) on the inside
interface only. I've basically got that right. But my current baseline
isn't allowing in any ICMP at all, and I expect there are some subtle
things that will break in the future if I don't relax that a bit, and
I'd love to know exactly what I need to let in, and why.

-Bennett