Should I allow this?

I get a lot of Type 3 Code 4 in the log that does not allow me to fully open certain web pages. I need to make a rule to allow my computer to receive and to send packets of type 3 Code 4 on ICMP protocol. Any problems with doing this?

 

Sometimes I get an ICMP type:3 code:3, which is a "destination unreachable" response.
I have never seen"code:4", so I do not know of possible dangers when allowing this type of packets.

Usually you receice ICMP type 3 logs when for example your DNS server is not responding.

You could try reading this here below for more information:
http://www.networksorcery.com/enp/protocol/icmp/msg3.htm

Thomas

 

Hi Jon,

The "correct" configuration of ICMP filters in a firewall is hotly debated. The problem is that ICMP are the "control messages" for TCP/IP. If you block some incoming ICMP, then you will break communication.

The absolute minimum ICMP traffic to allow is the packets dealing with TCP path MTU discovery. Fragmenting a stream is more efficient at the TCP layer rather than the IP layer, so the TCP layer will try to discover when IP packets are being inadvertently fragmented. They do this by setting the "DF" (Don't Fragment) on all outgoing packets. When a router cannot forward the packet because it is too big, rather than fragmenting it, it sends back a "fragmentation needed" ICMP packet (type=3/code=4). The TCP stack then starts sending smaller IP packets, segmenting the data at the TCP layer rather than allow routers to fragment at the IP layer. Therefore, firewalls must be configured to allow incoming ICMP type=3, code=4 packets.

Quoted from THIS this web site.

Regards,

Jaws