ICMP - Code(4) & type(3)

What is this ?


http://img693.imageshack.us/img693/2729/firewallo.jpg

Edit: Added ICMP to the Subject

[quote=Internet Control Message Protocol - Wikipedia]
Fragmentation required, and DF flag set

A bit more on this:

Type 3 = Destination Unreachable
This means that some IP packet your system send did not receive it’s destination.

Code 4 = Fragmentation needed DF set
The packet needed to be chopped in to smaller pieces but the DF (Don’t Fragment) Bit was set in the Header.
So now the router has to send an ICMP type 3, code 4 message to the originating sender to let the system know the packet did not reach the destination.

So that’s why Fragmentation Needed is one of the firewall’s default allowed rules. I find it odd that some users block legitimate ICMP traffic.

You got a point there, didn’t even pop my mind, 4sb can you please provide a screenshot of your global rules, it seems it’s missing at least a default rule that should be present like the above allow rule mentioned by Soya.


http://www.zimagez.com/avatar/globalrules.jpg

I do not agree that global rules should say that all IP OUT is allowed.

I have made such a rule only from LAN to LAN, and the ICMP requests should not either be limited only to fragmentation needed and time exceeded; what, e.g., about echo?

i wondered too, why theres an “allow ip out any” after you used the stealth port wizard. i erased this rule at once, never had a problem.
this rules set on the picture is the one which you get with stealth me to everyone.

what do you need echo request for?

Comodo setted for me somewhat more complex icmp rules.
LAN rules have been written by myself, i have no standard wan icmp allow rules.

http://brucine.hostoi.com/online/globalrules.jpg

kerio documents clear rules concerning what icmp requests should or not be allowed, and being the same for comodo:

http://www.urs2.net/rsj/computing/kerio/index.html

the echo request in (and echo reply out) should, in my opinion, be allowed only for lan and denied for wan, in order for your computer not to be pinged from wan.