ICMP - Harness Good/Block Bad

I'm setting up some Global Rules in Comodo Firewall for ICMP traffic, and I'd like some advice. I noticed Outgoing ICMP from my PC to my router, type 8, code 0 which I've gathered to be Echo Requests. If I block them eventually I lose my internet connection, so I'm inclined to allow them. Should I make the rule only to allow it from my PC to my gateway (router)?

What are some other ICMP traffic I could/should allow safely? When I set the FW up to stealth my ports to everyone it made rules for Fragmentation Needed and Time Exceeded, though I don't recall if it allowed it in or out (I removed them).

I'd be greatly obliged if somebody could recommend some ICMP rules for me, to allow useful traffic and block the rest.

Info. on my setup: Single PC, XP Pro SP3, NetBios disabled over TCP/IP, Comodo Firewall/D+ (proactive), Avira Personal, Firefox 3.6.17. I use the internet just for basic use (browsing).

 

You could try the ones in the attached .txt file. They should be complete for a home, non-networked computer. You've helped remind me I need to re-check my Windows fw icmp rules when I get home later

 

Actually blocking the outgoing Echo Requests wasn't what made me lose my connectivity. Another oversight of mine did that.

After learning more about ICMP it doesn't appear the common user (me) needs to allow any at all. Of course all I stumbled upon were vague references about network troubleshooting. One person said it's for more than that, but then neglected to elaborate. The way I see it, if I block it and nothing breaks then I don't need it. That's my prerogative until convinced otherwise.

 

If you do need to troubleshoot network connectivity, then allowing echo request, for example, will be needed for pings or traceroutes, and these can be very handy tools sometimes. You really have nothing to worry about and the ability to troubleshoot network connectivity issues if you set your icmp rules as in the attachment.

 

Do you find a need to explicitely create rules blocking ICMP... or do you feel Windows firewall may go wild? I've also been creating rules to specifically block connections, rather than leaving them disabled. I got double-crossed by Windows firewall sometime ago. It automatically created rules for network discovery... including netbios comms.

But, a good trick (perhaps) is to create new rules blocking comms, rather than using any built-in rules. A block rule takes precedence. Just in case Windows firewall remembers of changing rules.

 

Not any more. It's default-deny so I just create the allow rules I need. My current setup is pretty much static so I have little concern about new apps creating their own rules, and then very few do that anyway (however, uTorrent, for one, does this), at least in my experience.

 

I found the advice about System wide rules in the sticky by CrazyM very useful in making rules in few firewalls for both LAN and the wild web
https://www.wilderssecurity.com/showthread.php?t=24415
See heading called "Customizing Firewall Rules"

This thread is very interesting about stealth and replies to pings from the internet
https://www.wilderssecurity.com/showthread.php?t=216892

 

After looking into it a bit I came up with these rules (Comodo):

Allow - In

Echo Reply
Time Exceeded
Fragmentation Needed
Port Unreachable

Allow - Out

Echo Request

... then an in/out block rule for all other ICMP

But for now I'm testing to see whether things run smoothly with all ICMP blocked. It's not that I specifically feel the need to block ICMP, it's just my approach with all things (services, outbound connections, ect...). If I don't need it for things to work properly, I don't allow it. If I notice connectivity problems or unresponsive/glitchy browsing then I'll use that rule set.

 

Those all look good

Some nice advice in that thread

 

Yeah I looked through that, a very handy thread. I appreciate when people take the time like that to help other people out.

I found the one thread entertaining about the placebo effect people get when they see "Full Stealth" on the port scan tests. So true.

The only other rule I may add to the fold is an inbound allow rule for "Host Unreachable". I did have a page hang on me. Usually after several seconds I'd get that "Page temporarily unavailable" message, but it just kept hanging and I had to stop it. I don't know if this has anything to do with blocking ICMP, or if it's just coincidence. I'm going to need a bigger sample size before I decide one way or the other, but for now I'm continuing to block all. But perhaps some is needed for more reliable connectivity?

I'd like to hear an expert chime in about this with some specifics about ICMP. Is it indeed for more than just network troubleshooting? Does it have a positive impact on network connectivity for a common user like myself?

 

If your firewall permits, you could just make a Type: 3 (Destination Unreachable), Code: Any ICMP rule, and this will cover everything for that Type.

-http://www.nthelp.com/icmp.html

And no expert, but I don't think ICMP has any bearing on normal network connectivity, especially typical web browsing. It is probably even more important if one is running a server, where echo replies out and requests in may need to be allowed.

 

Just found this older, but no doubt excellent, ICMP advice form BlitzenZeus, an expert on Kerio firewall. There is no questioning this guy's expertise

-http://www.dslreports.com/forum/remark,2649460

 

Nice BZ thread, thanks. I've followed the CrazyM setup, it hasn't tripped me behind the router, with router removed, and in wild places yet.

In the Sunbelt 4.6.1861 and 4.7.4.0 firewall I have this stuff working fine all along



on another box, Kerio 2.1.5 firewall identical (except GUI - has only one group and can't switch LOG on the main screen)

the RFC-792 option is from this interesting thread
- https://www.wilderssecurity.com/showthread.php?t=216892