Should I Unblock ICMP on the WAN?
-
if I sent out an echo request most likely I would need an echo reply to pass in, isn't it ?
the question is: how automatically generated outbound NAT can help me with this?P.S.
or maybe there is a hidden set of rules comes into play
( not visible from our side of the fence... ) ? -
I have been struggling with this ICMP. I know it is harmless traffic, mostly router gossip; however, I cannot stand it tapping on my WAN door ... so I drop them.
-
@nollipfsense said in Should I Unblock ICMP on the WAN?:
I cannot stand it tapping on my WAN door ... so I drop them.
It's still tapping then, it's still there.
Dropping just means you spend a minimal of CPU cycles on it: "pfSense" doesn't react == send something back - on its arrival. -
@nollipfsense said in Should I Unblock ICMP on the WAN?:
I have been struggling with this ICMP. I know it is harmless traffic, mostly router gossip; however, I cannot stand it tapping on my WAN door ... so I drop them.
If you're running IPv6, you have to allow some in.
-
@tagit446
I wrote a heartbeat function on my external hosted site that will ping my pfsense router every few minutes through the WAN. If my router doesn’t respond then I get notified. So I have a rule that only allows ICMP (any) from the block of IP’s that my web host uses to ping me. Otherwise all other ICMP are blocked and I have not noticed any issues. I’m only using IPV4. -
@tagit446 Some ICMP types are dangerous. But some are needed like
- 3 Destination Unreachable
- 8 ICMP Echo Request (Ping)
- 11 Time Exceeded
- 12 Parameter Problem
But the authors of pfSense book advise you to allow any type ICMP. That is a NO NO!
If you don't need it then just block it. -
@gertjan said in Should I Unblock ICMP on the WAN?:
@nollipfsense said in Should I Unblock ICMP on the WAN?:
I cannot stand it tapping on my WAN door ... so I drop them.
It's still tapping then, it's still there.
Dropping just means you spend a minimal of CPU cycles on it: "pfSense" doesn't react == send something back - on its arrival.Suricata drops them and don't notify me anymore ... not dropped at the firewall.
-
@jknott said in Should I Unblock ICMP on the WAN?:
@nollipfsense said in Should I Unblock ICMP on the WAN?:
I have been struggling with this ICMP. I know it is harmless traffic, mostly router gossip; however, I cannot stand it tapping on my WAN door ... so I drop them.
If you're running IPv6, you have to allow some in.
No, that's the thing ... I need to get over my IPv6 shyness.
-
Does your ISP provide it? If not, you can get it via tunnel from he.net.
-
@tagit446 forgot to tell, don't forget to enable log for these rules.