Case 1. I have a global ruleset that allows all outgoing IP traffic, and blocks everything else. I also have an application ruleset for ping.exe that allows outgoing ICMP “Echo Requests” and blocks everything else. There is no global or application rule that would allow incoming ICMP “Echo Replies”. My CFP is in the Custom Policy Mode. Despite all this, I can ping remote hosts, the echo replies are coming through.
I can specifically create the “Block incoming ICMP “Echo Reply”” rule in the global and application rulesets, and the ping still works.
Case 2. I have a global ruleset that allows incoming ICMP “Echo Requests” but specifically blocks outgoing ICMP “Echo Replies”. Despite this, a remote host can ping me.
Why are the "Block ICMP “Echo Replies” rules ignored in these cases?
Does CFP treat ICMP as a connection-oriented protocol, automatically allowing echo replies to come through because echo requests were allowed to be sent to particular host?
If it does, what is the point of having “ICMP Echo Reply” in the ICMP message list? There is no way you can create a working rule with this option, is there?
I second Jasper2408’s suggestion. I want to add that many DSL modems serve as NAT routers, often without users knowing that they have that capability. I have a Westell 2100 modem which is configured to use NAT, but has no capability of blocking ICMP 11 inbound, so it also beeps at Gibson.