On Wednesday 05 December 2007, Daniel B. Thurman wrote: > Should ICMP packets be allowed both over the > Internet or should it be allowed to pass only in > the local networks? If you blanket block all ICMP, you break many parts of the TCP/IP protocol. You lose: 1.) The ability for you to ping anything (ICMP Echo Reply) 2.) Path MTU discovery (ICMP type 3 (Destination unreachable) code 4 ) 3.) The ability to know a destination is not reachable (is your yum taking too long? Perhaps you're blocking ICMP type 3!) Read the list of ICMP types and see what you might break. The list is at http://www.iana.org/assignments/icmp-parameters ICMP is called the 'internet control message protocol' for a reason. Now, blocking ICMP types 4 and 5 might be useful, and blocking several experimental types might be useful, but you certainly don't want to block types that are necessary for proper network functionality. Otherwise your connectivity will be broken (blocking type 11, for instance, can have interesting ramifications). Blocking type 4 can cause problems with QoS in some implementations, too. Again, ICMP exists for a very valid reason. Blocking ICMP does not make you more secure, either. It will make it slightly more difficult for an attacker to find you, but only slightly. See http://www.faqs.org/faqs/computer-security/most-common-qs/section-18.html for more. See the parent FAQ of that question, too. Also, as a point of information, there is no such thing as 'The Internet' anyway. There is a conglomeration of interconnected networks, each with their own 'junk,' that agree to connect and pass traffic. It is a VERY loose conglomeration; just follow some of the depeering discussions on NANOG for a while. -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 (828)862-5554 www.pari.edu