I see some people say that the only outbound ICMP packets you should allow are type 8. But is it necessary to make rules that explicitly allow type 8 and explicitly deny all other types for outbound? If you set up your incoming ICMP rules correctly (let's say only allow incoming types 0, 3, and 11), then could you ever have an ICMP packet leave your system that is not type 8?
ICMP type 3 could go out. When I configured my ruleset, there were requests for ICMP type 3 out to my ISP, so I made a custom rule to allow for that. It doesn't occur very often. My final ICMP rule denies all other in-out ICMP. I haven't had any outbound attempts for other types. -rich ________________________________________________________________ "Talking About Security Can Lead To Anxiety, Panic, And Dread... Or Cool Assessments, Common Sense And Practical Planning..." --Bruce Schneier
If a type 3 goes out, it would be in response to something. What kind of incoming packet would trigger a type 3 ICMP packet to go out?