Global rules for ICMP protocol ???

  1. What global rules must be set for ICMP protocol?
  2. Is ICMPv6 must be allowed or not?

Please, don’t send to searching. I have found several topics on the forum where is a discussion, but I need concrete recommendations(for OS Win7) from competent person.

Hi comfireuser
It depends on your needs but I would use the following ‘baseline’.

Allow IN
Fragmentation needed
Time Exceeded
Port unreachable
Host unreachable
Net unreachable
Protocol unreachable

Block and Log

This should allow ICMP control traffic in and all others out.

ICMPv6 is a bit more difficult, do you actively use v6? if not I’d drop it with a block ICMPv6 ANY ANY rule.

You’re probably going to get some differing opinions, as ICMP tends to be quite an emotive topic. For the majority, the ICMP settings in the default Global rules, when installing the full CIS suite or having run Stealth Ports Wizard with the third option, will be sufficient. The two rule included in this configuration are:

Inbound - Type 3, code 4 (Fragmentation needed - required for MTU path discovery)
Inbound - Type 11 code 0 (Time exceeded - required for Tracert and to prevent routing loops)

To these you may choose to add additional Type 3 messages such as code, 0 and 1 (net/host unreachable) and also Type 0 for Echo reply messages.

With regard to ICMPv6, unless you’re actively using IPv6, either natively or via a tunnelled interface, I suggest disabling IPv6 filtering on the Firewall Behaviour Settings/General page. You may also disable various aspects of IPv6 in Windows 7.

Edit: it seems Ronny and I posted at the same time :slight_smile:

Thank you for answers. Have read some topics, I already think about disabling ICMP at all! :slight_smile:

But why are you against IPv6? What is dangerous in it? I don’t understand. Or all told concerns only to ICMPv6?

Preventing all ICMP traffic will almost certainly break some things.

But why are you against IPv6? What is dangerous in it? I don't understand. Or all told concerns only to ICMPv6?

I personally use IPv6 but many do not. If you have native IPv6 from your ISP, tunnelled IPv6 through a tunnel broker, or even Teredo/6to4, then enabling IPv6 filtering in the firewall will allow you to create rules for IPv6 traffic.

Two things worth mentioning, some consider using Teredo/6to4 a security risk and so disable IPv6 tunnelling in the Operating System. Also, IPv6 support in CIS is still incomplete, particularly ICMPv6 filtering.

Я отвечу в русском форуме чуть чуть позже.

Я уже ответил на русском, так что давай обсуждение там дальше вести.