ICMP Packets. I think stopping ICMP is, in general, a very bad idea. Among other things, you totally screw up Path MTU discovery, and you make it hard to trace network problems. The Path MTU breakage is especially bad -- it will, among other things, impact your network performance.

Steve Bellovin smb@research.att.com
Wed, 03 Jun 1998 10:01:09 -0400


In fact, it's not at all clear to me that Path MTU helps performance
(see subsection 'Big Packets or Small' of section 24.2 of Stevens
Vol. I for a summary of my arguments).  But that isn't the real
point -- the real point is that blocking Path MTU messages can break
connectivity.

Assume that you're sending large packets towards some endpoint, with
the DF bit on (per the Path MTU spec).  If the packet size exceeds
the MTU of some link past your firewall, the packet will be discarded
and an ICMP packet returned.  If that packet is blocked, you'll never
be notified, and the connection will fail.  The same argument applies
in the reverse direction, if you block outgoing ICMP messages.  And
the Path MTU problem will become more severe as ipsec is deployed.

On the other hand, there have been problems for years with ICMP
attack programs.  Most of these derive their power from broken host
stacks, that accept ICMP packets without verifying the port number
portions.  There seems to be no good solution (other than application
gateways) other than fixing such broken hosts.