corner-fill

Some Valuable Tips & Tricks

NOTE: Nothing on this particular page is guaranteed to work in every case. The Tips & Tricks provided herein have worked for me personally in the past but are in no way provided as a total solution to any particular problem. ADL Datacomm will not be held responsible for any malfunction after implementing any of these suggestions. These ideas are provided without liability and with no guarantee expressed or implied. Although we have used each one of these, they are supplied as 'use at your own risk' suggestions only.

ICMP Filtering

Know your network. Do not randomly block or allow anything. Understand the impact it will have on your network and use a lab scenario if possible.

Filtering ICMP packets can be a challenge more so than it seems. Several ICMP packets should actually be permitted to enter and exit your firewall / gateway device. A recommended allow list to start with is below. Know that this is only a recommendation and may need to be adjusted for your specific needs. All other ICMP types should be blocked initially.

NAME			TYPE 	CODE 		COMMENT 
ICMP_ECHO		8	0 		Ping 
ICMP_ECHOREPLY		0	0		Ping response 
ICMP_UNREACH		3	4		ICMP_UNREACH_NEEDFRAG 
ICMP_TIMXCEED		11	0 		TTL expired in transit.

Note that ICMP packets have a TYPE and CODE. The TYPE defines the ICMP message that is being passed. In certain cases, a TYPE may have several sub messages, called CODEs.

For example, a "destination unreachable" message might have a TYPE of 3 and a CODE of 3. This would be the ICMP message generated when a port on the target host is unreachable.

For a list of ICMP TYPES and CODES visit Iptables Tutorial 1.1.19 by Oskar Andreasson at http://www.faqs.org/docs/iptables/icmptypes.html#TABLE.ICMPTYPES Copyright © 2001-2003 by Oskar Andreasson.