ICMP rules



  • Some people think that ICMP should be blocked by a firewall, even though some message types should be allowed for proper operation of the Internet.  What ICMP types does pfSense allow or block, by default?

    tnx jk



  • On WAN everything including any ICMP is blocked on inbound. On the outbound direction everything is allowed by default. On LAN everything is allowed by default and on any OPT interface everything is blocked on inbound if there are no rules on the interface.

    Trying to hide your system by blocking incoming ICMP doesn't quite work contrary to the myths, any time you make an outgoing connection there will be numerous hosts on the way that now know of your precence no matter how well you block incoming connections.



  • Quite so.  That's why I think blocking ICMP types such as ping, destination unreachable, source quench etc. is dumb, though I could see blocking redirects on a WAN port.



  • I block that which is not needed.  It appears that ICMP of any type inbound on WAN is not needed here.  So it is blocked.

    Entities along the path are not what most people who block ICMP are trying to be invisible to.



  • It appears that ICMP of any type inbound on WAN is not needed here.  So it is blocked.

    What about packet too big (type 2) or destination unreachable (2)?  Seems to me, both of those would be useful.  The packet too big might occur, if you have to pass through a tunnel of some sort, where the MTU might be just 1280 bytes, but your MTU is set to 1500.



  • On WAN everything including any ICMP is blocked on inbound.

    I just did a quick test and see both destination and time exceeded messages are passed, in both IPv6 and IPv4 (via NAT).


  • LAYER 8 Global Moderator

    huh? There is no traffic passed unsolicated inbound via nat.  Ipv6 would have to be allowed.  Outbound sure the default outbound is any any so you would get responses.  If your using an ipv6 tunnel you would have to put rules in place to allow the traffic you want inbound and outbound, etc.

    How exactly are you testing this?  There are certain aspects of ipv6 icmp that are allowed in hidden rules since there are many requirements for icmpv6 for ipv6 to function correctly.

    I have specific rules on my wan ipv4 to allow icmp echo request since I like to be able to ping my public IP when I am remote.. Until pfblocker blew up with memory issues I had top 20 countries blocked same with icmpv6 inbound through my he tunnel.

    I also send rejects to the udp ports used for traceroute in linux and allow those ports through in ipv6 so I can get complete traceroutes without issues remote, etc.



  • My mistake,  I forgot that ICMP in response to existing traffic would normally be allowed.  I was just running traceroute to IPv4 and IPv6 sites and watching with wireshark.  I suppose I should try something like icmpush, on Linux, to properly test this.



  • I have rules to pass echo request enabled for both ipv4 and ipv6. That way ping tests work. I also had to enable an inbound firewall rule for icmp6 echo request on my windows 10 pc.



  • @JKnott:

    It appears that ICMP of any type inbound on WAN is not needed here.  So it is blocked.

    What about packet too big (type 2) or destination unreachable (2)?  Seems to me, both of those would be useful.  The packet too big might occur, if you have to pass through a tunnel of some sort, where the MTU might be just 1280 bytes, but your MTU is set to 1500.

    Not having any troubles with it.  Like I said

    It appears that ICMP of any type inbound on WAN is not needed here.  So it is blocked.


Log in to reply