Firewall Wizards mailing list archives

RE: Blocking ICMP with ipchains

From: peter.schawacker () citicorp com
Date: Fri, 14 Jan 2000 10:49:51 -0500

How could blocking all ICMP cause a problem?  I have worked with two rather 
large networks that blocked all ICMP at the router level.  Were we just lucky 
not to have any problems?

-----Original Message-----
From: wwebb [mailto:wwebb () adni net]
Sent: Tuesday, January 11, 2000 7:19 PM
To: firewall-wizards
Cc: wwebb
Subject: Blocking ICMP with ipchains


I've heard that it is not wise to block all ICMP operations.  Such 
being the case, which of these ICMP operations are safe to block 
without causing serious problems: 

echo-reply (pong)
destination-unreachable
   network-unreachable
   host-unreachable
   protocol-unreachable
   port-unreachable
   fragmentation-needed
   source-route-failed
   network-unknown
   host-unknown
   network-prohibited
   host-prohibited
   TOS-network-unreachable
   TOS-host-unreachable
   communication-prohibited
   host-precedence-violation
   precedence-cutoff
source-quench
redirect
   network-redirect
   host-redirect
   TOS-network-redirect
   TOS-host-redirect
echo-request (ping)
router-advertisement
router-solicitation
time-exceeded (ttl-exceeded)
   ttl-zero-during-transit
   ttl-zero-during-reassembly
parameter-problem
   ip-header-bad
   required-option-missing
timestamp-request
timestamp-reply
address-mask-request
address-mask-reply

Thanks for any assistance.

<<attachment: WINMAIL.DAT>>

Current thread:

Blocking ICMP with ipchains wwebb (Jan 13)
- Re: Blocking ICMP with ipchains Mikael Olsson (Jan 15)
- Re: Blocking ICMP with ipchains Carric Dooley (Jan 16)
- <Possible follow-ups>
- RE: Blocking ICMP with ipchains peter . schawacker (Jan 16)
- RE: Blocking ICMP with ipchains Ryan Russell (Jan 17)
- Re: Blocking ICMP with ipchains Steven M. Bellovin (Jan 17)
- RE: Blocking ICMP with ipchains Richard . Smyth (Jan 17)
- RE: Blocking ICMP with ipchains Staggs, Michael (Jan 18)