Some Valuable Tips & Tricks
NOTE: Nothing on this particular page is guaranteed to work in every case. The Tips & Tricks provided herein have worked for me personally in the past but are in no way provided as a total solution to any particular problem. ADL Datacomm will not be held responsible for any malfunction after implementing any of these suggestions. These ideas are provided without liability and with no guarantee expressed or implied. Although we have used each one of these, they are supplied as 'use at your own risk' suggestions only.
ICMP Filtering
Know your network. Do not randomly block or allow anything. Understand the impact it will have on your network and use a lab scenario if possible.
Filtering ICMP packets can be a challenge more so than it seems. Several ICMP packets should actually be permitted to enter and exit your firewall / gateway device. A recommended allow list to start with is below. Know that this is only a recommendation and may need to be adjusted for your specific needs. All other ICMP types should be blocked initially.
NAME TYPE CODE COMMENT ICMP_ECHO 8 0 Ping ICMP_ECHOREPLY 0 0 Ping response ICMP_UNREACH 3 4 ICMP_UNREACH_NEEDFRAG ICMP_TIMXCEED 11 0 TTL expired in transit.
Note that ICMP packets have a TYPE and CODE. The TYPE defines the ICMP message that is being passed. In certain cases, a TYPE may have several sub messages, called CODEs.
For example, a "destination unreachable" message might have a TYPE of 3 and a CODE of 3. This would be the ICMP message generated when a port on the target host is unreachable.
For a list of ICMP TYPES and CODES visit Iptables Tutorial
1.1.19 by Oskar Andreasson at http://www.faqs.org/docs/iptables/icmptypes.html#TABLE.ICMPTYPES
Copyright © 2001-2003 by Oskar Andreasson.