Should I Block ICMP?

Summary

Should I block ICMP? No!! The Problem Many network administrators feel that ICMP is a security risk, and should therefore always be blocked at the firewall. It is true that ICMP does have some security issues associated with it, and that a lot of ICMP should be blocked. But this is no reason to block all ICMP traffic! ICMP has many important features; some are useful for troubleshooting, while some are essential for a network to function correctly. Here are details of some of the important ICMP traffic that you should know about, and consider allowing through your network. Echo Request and Echo Reply IPv4 - Echo Request (Type8, Code0) and Echo Reply (Type0, Code0) IPv6 - Echo Request (Type128, Code0) and Echo Reply (Type129, Code0) We all know these ones - ping is one of the first troubleshooting tools that we all learn. Yes, if you enable it, it means that your host is now discoverable - but wasn't your web server already listening on port 80 anyway? Sure, block this if you really want at your border to your DMZ, but blocking ping traffic inside your network isn't going to get you much, except harder troubleshooting ("Can you ping your default gateway?", "No, but I never can, so that doesn't tell me anything!"). Remember you can also allow this with a given direction in mind; you could decide to let Echo Requests out from your network to the Internet, and Echo Replies from the Internet to your network, but not vice versa. Fragmentation Needed (IPv4) / Packet Too Big (IPv6) IPv4 - (Type3, Code4) IPv6 - (Type2, Code0) These ones are important. VERY important. They are an essential component in Path MTU Discovery (PMTUD), which is an essential part of TCP that allows two hosts to adjust their TCP Maximum Segment Size (MSS) value to one that will fit in the smallest MTU along the path of links between the two hosts. If two hosts have a smaller MTU than their own local link on the path between them, and have no means of discovering this, traffic gets silently black-hole...