ICMP type 3 is necessary for path MTU discovery to work correctly. It should be enabled inbound to get top efficiency from your tweaked broadband connection. Normally, you will also allow your machine to ping another machine, but not to accept or reply to pings from other machines. To be able to ping out but not be pinged, we allow type 8, echo request, to go outbound. We allow type 0, echo reply, inbound. Type 11 allows us to receive "time exceeded" messages to support traceroutes, etc.
The other types are normally not absolutely necessary to get a working connection. If you choose to enable other types, remember, for the most part you don't mind sending (outbound) "requests," or receiving (inbound) "replies," but you don't want to be replying outbound yourself unless absolutely necessary. An exception would be if you wanted to be pingable, in which case you would enable types 0 and 8 on both your ICMP inbound and your ICMP outbound rules.
Finally, the typical install requires precisely two (2) rules to handle ICMP properly: an allow in and an allow out. Anything that matches the types you've picked in neither allow rule will be dropped down for further processing and will be blocked and prompted or dropped if it reaches the end of the rules unmatched. The usual position for this pair would be directly below loopback and any LAN rules.
Generally, the following will permit enough ICMP for an average installation, allowing outbound ping and path MTU discovery/connection-related traffic:
ICMP allowed in
allow
IN
ICMP
types 0, 3, 11
nolog - noalert
ICMP allowed out
allow
OUT
ICMP
types 3,8
nolog - noalert
[optional rule to drop all non allowed ICMP; prevents unnecessary pop-ups asking for action on packets that can almost always be safely dropped]
Deny any ICMP
deny
BOTH DIRECTIONS
ICMP
types: "select all"
[normally]nolog-noalert, for blocking; may log if desired.
030202-511
 feedback form
 feedback form
by gwion  edited by JMGullett
last modified: 2007-06-29 15:28:32 |
