Note for admins: ICMP filters on local firewalls

Why they do more harm than good

2024/07/03

Many departments at TU Darmstadt protect their systems with a firewall or with rules on the corresponding hosts. For protocols such as TCP, UDP and ESP, a sensible approach is to first block everything and then enable specific services. This approach is also often used for ICMPv6 and ICMP (Internet Control Message Protocol). However, this can lead to problems.

Why filtering ICMP is problematic

ICMPv6 and ICMP are mandatory for the proper functioning of IP. ICMP (or ICMPv6) is often mistakenly equated with “ping”. By switching off ICMP, it is hoped that this will increase security, as the IP host can no longer be reached via “ping” and thus supposedly becomes invisible.

In reality, however, the accessibility check via “ping” is only one of many ICMP functions. IPv6 uses ICMP as an aid to addressing; both IP protocols use it to determine the optimum packet size for the transmission path.

If the packets required for this are filtered, in the simplest case individual remote stations may no longer be accessible (the loading of websites simply “hangs”) or occasional network problems may occur that are difficult to trace.

Recommendation of the HRZ

Basic protection for problematic or unnecessary ICMP types is set up at the TU firewall.

In general, you should only block ICMP yourself if you want to consciously accept the possible risks. Current operating systems are not jeopardised by ICMP.

If you still want to block ICMP, you will find valuable tips for a sensible configuration under the following links:

https://www.rfc-editor.org/rfc/rfc4890#page-18

https://hepix-ipv6.web.cern.ch/content/examples-rfc4890-compliant-icmp-filter-configuration

https://datatracker.ietf.org/doc/html/draft-ietf-opsec-icmp-filtering-04