Technically I'd say the best approach is to use a stateful firewall and allow any ICMP traffic "related" to other permitted traffic, denying the rest.

You might also want to allow pings in / out.

Blocking all ICMP traffic is nasty and will definitely cause some problems for applications - they won't get correct error information.

TCP connections which are denied by ICMP unreachables will continue to be tried until they time out. The application will get the wrong error message and it will take a lot longer to give up.

UDP sessions to servers which have gone away will not get unreachables - which means they also will take a lot longer to timeout and the applications won't get the right error message.

Slarty