Re: ICMP Packets.

["Perry E. Metzger" <perry () piermont com>]

"Don Kendrick" writes:
> Agreed on the Path MTU stuff in theory thought it really depends what kind
> of traffic is going between the internal and external nets. For one, I'd
> rather deny ICMP and suffer some on performance.

It isn't *just* performance -- you can totally screw up connections
because they never figure out why packets aren't going through. In
some cases, this will completely block your ability to communicate.

There are also other reasons not to block ICMP.

1) Your network becomes an excellent choice when picking network
numbers for SYN flooding third parties.
2) Testing connectivity to your network becomes a bitch and a half.
3) Any connections you make to bad/nonexistant/down hosts take a full
timeout period to be detected instead of being noticed immediately via
UNREACHABLEs, greatly lowering your performance. This can SERIOUSLY
wack mail delivery through your firewall, for example -- I've seen
this happen in practice. Remember, they can't scan you, but you can't
get UNREACHABLEs from the machines YOU are connecting to, either.

I could probably think of more, but these are more than enough.

I'm a firewall fascist -- I build the things to permit only those
things I *know* to be needed, but ICMP is on that list. It makes sense 
to block perhaps certain ICMP messages, but not *all* ICMP.

Perry