hi, i have kerio 2.1.5 with BZ's rules. recently, along with the Block All Codes as the last ICMP rule, i have only enabled ICMP 0,8 outbound. then when i have run PingPlotter, traceroute, ping etc i have enabled 0, 3, 8, 11 inbound and disabled them again afterward. i have had no network problems that i can see doing that. would there be any problems if i now disable the one ICMP rule i allow to be enabled continuously - 0,8 outbound? or do i need those echo ICMPs? thanks
In general most ICMP codes can be grouped into matching pairs. One for incoming and one for outgoing (response). This is because ICMP like UDP is a connectionless protocol. Of course there are ICMP codes which going by the RFC documents do not need a reply. If I am not mistaken 'Destination Unreachable' outbound (code:?) does not need a response from the machine when received. Due to the rule-based nature of Kerio2x there are two ways to stop things like 'Allowing pings in'. For example: 1) Allow the incoming echo request to be passed to the OS kernel as normal but deny an outgoing echo reply. 2) Deny the incoming echo request from being passed onto the kernel, no echo reply is sent even if you have explicitly stated that this is allowed. To the machine that sent the echo request, the lack of response will indicate exactly the same thing: that you are not responding to pings. If you're interested in the ICMP protocol, the RFCs http://www.faqs.org/rfcs/rfc792.html have more information.
hi, ghost thanks for the reply. OK, i'm going to disable 0 and 8 and just enable them when i enable the other ICMPs, when i do pings. i can't see why i'd need them enabled for normal internet use, i can still recieve ICMPs from routers. thanks
