About default network rules created in CPF

I wonder why, among the default network rules created by the latest CPF beta, there are the 2 following:

  • “allow ICMP in from [any] to [any] where ICMP message is fragmentation needed”
  • “allow ICMP in from [any] to [any] where ICMP message is time exceeded”

Is this a kind of typo ;), or is this deliberate? If this is the latter, could you elaborate?

BTW, I changed “allow” to “block” for both of them for the time being.

From what I can remember, there were alot of people that were experiencing certain web-sites not loading (or not loading fully) unless certain ICMP rules were created… these then became default rules in the new beta.

Thanks m0ng0d, but could you (or anyone else) elaborate a bit with technical details? This is really unclear for me why such rules would be needed…

1st icmp rule is because some routers send you this ICMP and your PC behave accordingly. Otherwise, some sites requiring fragmentation the their routes will not be shown correctly. Like Windows Update routes.

The other one is about allowing you to be able to do tracerouting. You can live without/without those rules safely.

So if i understand correctly egemen, ICMP Time Exceeded is only for routers while ICMP Fragmentation Needed is requird by some webpages? I’m asking again because you said 1st one is for routers but first one mentioned by TerDale is Fragmentation Needed which is also mentioned for Windows Update (and other webpages).

No no. Both of them are for the personal computer. “traceroute” is a command you can issue from the command line.
for examle :“tracert www.comodo.com” will show you the route to the www.comodo.com server. Without time exceeded rule, it will not work.

Thanks egemen for these clarifications.
Indeed, for the 2nd one (time exceeded) I suspected this was related to ping/tracert stuff, but I was not strict enough and tested only with ping, for which didn’t notice any side-effect while blocking the rule. Now, testing with tracert makes it clear.
Thanks a bunch :slight_smile: