Should I Unblock ICMP on the WAN?
-
Yeah. Block bogons and RFC1918 only affects connections coming into WAN with a SOURCE ADDRESS in those ranges. That should never happen with actual internet traffic and if it does you probably want it blocked anyway which is why that feature exists in the first place.
The only way that might happen is connections from the ISP device itself unless the firewall is inside your private network for whatever reason in which case you want to disable that feature.
-
if I sent out an echo request most likely I would need an echo reply to pass in, isn't it ?
the question is: how automatically generated outbound NAT can help me with this?P.S.
or maybe there is a hidden set of rules comes into play
( not visible from our side of the fence... ) ? -
I have been struggling with this ICMP. I know it is harmless traffic, mostly router gossip; however, I cannot stand it tapping on my WAN door ... so I drop them.
-
@nollipfsense said in Should I Unblock ICMP on the WAN?:
I cannot stand it tapping on my WAN door ... so I drop them.
It's still tapping then, it's still there.
Dropping just means you spend a minimal of CPU cycles on it: "pfSense" doesn't react == send something back - on its arrival. -
@nollipfsense said in Should I Unblock ICMP on the WAN?:
I have been struggling with this ICMP. I know it is harmless traffic, mostly router gossip; however, I cannot stand it tapping on my WAN door ... so I drop them.
If you're running IPv6, you have to allow some in.
-
@tagit446
I wrote a heartbeat function on my external hosted site that will ping my pfsense router every few minutes through the WAN. If my router doesn’t respond then I get notified. So I have a rule that only allows ICMP (any) from the block of IP’s that my web host uses to ping me. Otherwise all other ICMP are blocked and I have not noticed any issues. I’m only using IPV4. -
@tagit446 Some ICMP types are dangerous. But some are needed like
- 3 Destination Unreachable
- 8 ICMP Echo Request (Ping)
- 11 Time Exceeded
- 12 Parameter Problem
But the authors of pfSense book advise you to allow any type ICMP. That is a NO NO!
If you don't need it then just block it. -
@gertjan said in Should I Unblock ICMP on the WAN?:
@nollipfsense said in Should I Unblock ICMP on the WAN?:
I cannot stand it tapping on my WAN door ... so I drop them.
It's still tapping then, it's still there.
Dropping just means you spend a minimal of CPU cycles on it: "pfSense" doesn't react == send something back - on its arrival.Suricata drops them and don't notify me anymore ... not dropped at the firewall.
-
@jknott said in Should I Unblock ICMP on the WAN?:
@nollipfsense said in Should I Unblock ICMP on the WAN?:
I have been struggling with this ICMP. I know it is harmless traffic, mostly router gossip; however, I cannot stand it tapping on my WAN door ... so I drop them.
If you're running IPv6, you have to allow some in.
No, that's the thing ... I need to get over my IPv6 shyness.
-
Does your ISP provide it? If not, you can get it via tunnel from he.net.
-
@tagit446 forgot to tell, don't forget to enable log for these rules.