Global ICMP Rules

Just_Another_Joe · June 22, 2009, 12:58am

The standard global ICMP rules for Comodo seem to be:

Allow Out Echo Request
Allow In Fragmentation Needed
Allow In Time Exceeded

Since we allow Echo Request out, shouldn’t we also need to allow Echo Reply in? Or is the Echo Reply automatically allowed as the reply to the Echo Request out?

Why do we allow in only Fragmentation Needed, rather than the entire group of Destination Unreachable?

Just_Another_Joe · June 24, 2009, 1:02am

Anyone?

system · June 24, 2009, 1:59am

In truth, if you want PING to behave itself you might need to consider some additional rules:

Allow IN Destination Unreachable (up to you which you choose)
Allow IN Echo Reply

Just_Another_Joe · June 24, 2009, 9:05pm

Ping seems to function fine with only the default three rules in place. From this I take it that Echo Reply is automatically allowed as a response to Echo Request, in the same way that web pages are allowed in response to the outgoing request from the Comodo machine, for example. I just wanted someone to confirm that.

Regarding Destination Unreachable, I was curious as to why only Fragmentation Needed was allowed. I guess my question was whether there are any software which may require (or make use of) the other ones.

Or for that matter, what software makes use of Fragmentation Unreachable? And likewise, what software makes use of Time Exceeded. Are these two used by the system? Other software?

system · June 24, 2009, 11:08pm

To understand the different ICMP types, you also need to understand some of the mechanics of IP.

A typical IP datagram is 65k, however, when that datagram traverses the Internet, it’s likely it will encounter segments with different MTU (Maximum Transmission Size) sizes.

When an IP datagram encounters an MTU smaller than 64k the datagram is split into smaller pieces and retransmittd (fragmentation). Finally, when the datagram reaches it’s destination, the reciveing station is responsible for reassembly. This is where the ICMP Fragmentation Message comes in.

Please understand that ICMP is much more than just PING, it’s fundamental to communication between devices, for many and varied reasons, that’s what it’s called the INternet Control Message Protocol.

Destination unreachable is just what it sounds like it is. Whilst not strictly necessary for use with personal firewalls, it can be a benefit when using p2p clients, to cut down on the amount of garbage generated in the logs.

Time Exceeded is typically used by utilities like tracert.

Just_Another_Joe · June 25, 2009, 2:27am

Toggie, thanks.

To summarize:
Fragmentation is used by the system.
Time Exceed is used by various software.
Both are covered by the default rules.
Other Destination Unreachable types may be allowed as required.