Should I allow this?

Discussion in 'LnS English Forum' started by jon_fl, Jun 16, 2005.

Thread Status:
Not open for further replies.
  1. jon_fl

    jon_fl Registered Member

    Sep 4, 2004
    I get a lot of Type 3 Code 4 in the log that does not allow me to fully open certain web pages. I need to make a rule to allow my computer to receive and to send packets of type 3 Code 4 on ICMP protocol. Any problems with doing this?
  2. Thomas M

    Thomas M Registered Member

    Jan 12, 2003
    Sometimes I get an ICMP type:3 code:3, which is a "destination unreachable" response.
    I have never seen"code:4", so I do not know of possible dangers when allowing this type of packets.

    Usually you receice ICMP type 3 logs when for example your DNS server is not responding.

    You could try reading this here below for more information:

  3. Jaws

    Jaws Registered Member

    Apr 4, 2005
    Hi Jon,

    The "correct" configuration of ICMP filters in a firewall is hotly debated. The problem is that ICMP are the "control messages" for TCP/IP. If you block some incoming ICMP, then you will break communication.

    The absolute minimum ICMP traffic to allow is the packets dealing with TCP path MTU discovery. Fragmenting a stream is more efficient at the TCP layer rather than the IP layer, so the TCP layer will try to discover when IP packets are being inadvertently fragmented. They do this by setting the "DF" (Don't Fragment) on all outgoing packets. When a router cannot forward the packet because it is too big, rather than fragmenting it, it sends back a "fragmentation needed" ICMP packet (type=3/code=4). The TCP stack then starts sending smaller IP packets, segmenting the data at the TCP layer rather than allow routers to fragment at the IP layer. Therefore, firewalls must be configured to allow incoming ICMP type=3, code=4 packets.

    Quoted from THIS this web site.


Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.