25

Searching around I haven't been able to determine the best practice for ICMP on a firewall.

For example on a Cisco ASA would it be safe and recommended to allow ICMP from any if ICMP inspection is enabled. This would then allow for things like type 3 unreachables to make it back to the clients.

Adam
  • 353
  • 2
  • 5

1 Answers1

32

No, ICMP should not be blocked. It's vital signalling protocol. Internet does not function without it.

PMTUD is broken if you drop ICMP.

IPv6 does not even begin to work without ICMP, as L3 to L2 address resolution (ARP in IPV4) is riding on top of ICMP in IPv6.

Also troubleshooting will take longer if ICMP echos are dropped. Alas often FW people train of thought appears to be 'when in doubt, drop'.

You use FW because your inside network has services not requiring auth or unmanaged hosts running vulnerable software. ICMP really is not a practical attack vector.

ytti
  • 9,776
  • 42
  • 53
  • 1
    I agree dropping all ICMP on the network is not a good idea. Just saying ICMPv6 (proto 58) is different from ICMP (proto 1). Dropping ICMP on the firewall does not affect IPv6 functionality, unless ICMPv6 are explicitly dropped as well ? – sdaffa23fdsf Jun 26 '13 at 13:50
  • Yes, ICMPv6 is different. It'll depend on your firewall though whether "drop all ICMP" includes ICMPv6. Usually, it doesn't, ipv6 rules are separate from ipv4 ones. –  Jun 26 '13 at 15:21
  • Are you recommending that *all* ICMP be allowed through or just types like unreachables, time-exceeded, and traceroute to name a few? – generalnetworkerror Jun 27 '13 at 02:54
  • 1
    I personally allow them all, I've not heard of ICMP attack-vector (but I'm biased, I'm very anti-FW). Minimum set I'd recommend is: destination unreachable, time exceeded, parameter problem, echo, echo-reply, timestamp, timestamp-reply (great for measuring unidirectional latency at 1ms precision). – ytti Jun 27 '13 at 06:32