The "correct" configuration of ICMP filters in a firewall is hotly debated.
The problem is that ICMP are the "control messages" for TCP/IP. If you block
some incoming ICMP, then you will break communication.
The absolute minimum ICMP
traffic to allow is the packets dealing with TCP path MTU discovery. Fragmenting a stream
is more efficient at the TCP layer rather than the IP layer, so the TCP layer will try to
discover when IP packets are being inadvertently fragmented. They do this by setting the
Fragment) on all outgoing packets. When a router cannot forward the packet because it is
too big, rather than fragmenting it, it sends back a "fragmentation needed" ICMP
packet (type=3/code=4). The TCP stack then starts sending smaller IP packets, segmenting
the data at the TCP layer rather than allow routers to fragment at the IP layer.
Therefore, firewalls must be configured to allow incoming ICMP type=3, code=4 packets.
Another issue is Host unreachable and Destination Unreachable packets.
Allowing these to come in through your firewall will allow connections to timeout faster,
but they can also be used as a denial of service attack (by disconnecting clients from
Users will constantly ask for the ability to ping and traceroute machines on the
Internet. Most firewall adminsitrators will eventually give into these demands. Nobody
really needs to ping/traceroute, but they really want to. It should be remembered,
however, that ICMP ping responses are often used as a covert-cahnnel.
(The massive DDoS attacks against Internet portals used this as a covert channel).
For more information on this, you may want to consult "Protect and Survive Using
IBM Firewall 3.1 for AIX", IBM publication SG24-2577-02. See http://www.redbooks.ibm.com/ for more info. I
disagree with it, though.
Another good document is http://www.worldgate.com/~marcs/mtu/.