What to do with ICMP traffic?

View Poll Results: Is there such a thing as ESP and Psychic phenominae?

12. You may not vote on this poll
  • Yes! But you should already know the answer if you're psychic.

    7 58.33%
  • Hell no! The whole thing is a crock of bullshit.

    2 16.67%
  • I am eating my own head.

    3 25.00%
Results 1 to 4 of 4

Thread: What to do with ICMP traffic?

  1. #1
    Hi mom!
    Join Date
    Aug 2001

    Question What to do with ICMP traffic?

    Inspired by a discussion in this thread.

    A quick recap: ICMP (Internet Control Message Protocol) is used in the IP suite "to provide feedback about problems in the communication environment" (RFC792). Besides providing this useful feedback, the protocol can also be (mis?)used to, for example, map networks and recognise operating systems.

    What should/do you do with ICMP traffic? Block it entirely, partially or not at all? How do the pro's and con's of blocking ICMP compare to each other? What do you suggest, and why?
    I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.

  2. #2
    Senior Member
    Join Date
    Feb 2004
    Block some of it.

    I let my router forward all ICMP to my own computer. The firewall on my pc only allow's it for eiter the IP of my school a number of my friends and inside the network. Everything else is blocked.

    The reason I allow school is because I want to be able to check up on my computer from there. The friends for the same reason, and so they can check up on it for themselves.

    Basicly I think ICMP is a good thing. People getting to know my os isn't really something I think is a problem in my case. And you can alway's only allow a certain amount of people in...

    If your admin of an important network or company then things change though.
    Since the beginning of time, Man has searched for the answers to the big questions: \'How did we get here?\' \'Is there life after death?\' \'Are we alone?\' But today, in this very theatre, you will be asked to answer the biggest question of them all...WHO LIVES IN A PINEAPPLE UNDER THE SEA?

  3. #3
    Just Another Geek
    Join Date
    Jul 2002
    Rotterdam, Netherlands
    Lot's of reasons to block it. Convert channels, ICMP redirects and ICMP broadcast pings are just a few.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  4. #4
    Senior Member
    Join Date
    Jan 2002
    Technically I'd say the best approach is to use a stateful firewall and allow any ICMP traffic "related" to other permitted traffic, denying the rest.

    You might also want to allow pings in / out.

    Blocking all ICMP traffic is nasty and will definitely cause some problems for applications - they won't get correct error information.

    TCP connections which are denied by ICMP unreachables will continue to be tried until they time out. The application will get the wrong error message and it will take a lot longer to give up.

    UDP sessions to servers which have gone away will not get unreachables - which means they also will take a lot longer to timeout and the applications won't get the right error message.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts