ICMP question

Unanswered Question
Sep 24th, 2007


I just wanted to ask opinion, would denying ICMP from host inside the network to the Internet be considered a Best Practice? If so, could someone tell me why.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Richard Burts Mon, 09/24/2007 - 06:56


I do not believe that a blanket deny of all ICMP is ever a best practice. If there are some ICMP messages that you believe are security weaknesses then block those specific messages. But there are many ICMP messages that have useful (sometimes almost necessary) information that you would give up if you did a deny icmp any any. For example blocking the ICMP message about Fragmentation required but DF set is what frequently breaks Path MTU Discovery.



murray-davis Mon, 09/24/2007 - 07:22

I would think this would not be a best practice. How would you troubleshoot connectivity issues? For example, you can't connect to www.cisco.com. Is Cisco's site down, is you LAN down, is your WAN down, is your ISP down, is your DNS server down? How would you answer these questions if you deny ICMP? If you are thinking of just blocking ICMP for Joe user, I don't think that you would gain anything. You can put QOS on routers to throttle icmp traffic, maybe that is the route :) to go. Or, you need to be looking at bandwidth issues from Skype, Bit Torrent, and other application-layer filtering.


This Discussion