Please can somebody tell me if there are any security concerns when allowing inbound connections on this protocol and icmp message?

I have added it to a network rule, as Shareaza (gnutella) apparently benefits from it.


Additionally, what are the ramifications of allowing ICMP HOST UNREACHABLE ?


I added 4 incoming ICMP network rules for uTorrent (P2P): Echo Request, Net & Host & Port Unreachables and allowed them. Reduces the log entries and seems to help a bit in speed. I came up with these 4 because they were intermittently appearing in the logs and also read on uTorrent website it helps the network, although not required.

You can also read here for security info.

Thanks soyabeaner.

I will add the same rules as you did.

After reading matousec’s article, it seems that all ICMP traffic should be allowed by default ???

Can anyone comment on why Comodo decides to block ICMP - is it just to defeat grc’s shields-up test?

hahah ;D that’s exactly what I thought. I asked a mod about this too and he said that we should at least have some ICMP protection, and I agree. Only allow incoming ICMP for ones that you “need” (i.e. that show complaints in the logs, usually the unreachables). You use a different p2p app, so you might not need as much or the same ones. Just monitor your logs and add one at a time.

Blocking ICMP is debateable - yes, you will receive stealth results from port scanning sites, but according to Matousec it isn’t really hiding your computer. Here’s another site that shows the opposite effect. I like its simple explanation, and hopefully it’s also accurate.

Your posted two very interesting links, soyabeaner. (:CLP)

I am sure that this could start a bit of a debate:


“A simple “ping” from the attacker travels through the cloud, and to the router in front of your firewall. Next, the echo request gets to your firewall. A stealth firewall will simply drop the echo request, and no reply is sent back to the attackers’ computer. So, you’re invisible, right? Since there’s no reply, there’s no computer there, right? Wrong and wrong! If there really was no computer (or firewall) there, the router sitting in front would reply for you with a simple ICMP “host unreachable” message back to the attacker. The attacker would then know that there really is nothing there. The lack of this “host unreachable” message is a clear indication that something is there and it’s dropping the packets rather than replying to them.”

I think anything related to computer/internet security is up for debate… Everyone seems to have a different opinion on the matter, and different “facts” to support that. Something I think Hansen overlooks is the possibility that the router could be configured to drop/block/disallow pings; this would potentially negate the whole theory there.

I’m not a computer/security expert, to say definitively whether any sort of IP traffic is a risk or not, be it ICMP, IGMP, GRE, TCP, UDP, etc. I do think that if there is a way to use it, the “black hats” will do so. From a logic standpoint, I think there may be some merit to what both sides say. Thus, I personally advocate caution.

I think it was me that soyabeaner asked the question of, and I hold to the answer… :wink: If a type of traffic is not shown to be needed for your system and applications (by regularly reviewing CPF’s logs), then why explicitly allow it? The way that CPF filters Network traffic, if it’s not specifically allowed, it will be blocked. If it’s needed, then allow it; you can probably zero in to specific ports to limit the chance of it being used for negative purposes by something else.

Some of the security-conscious believe in creating rules to limit applications and network activity to specific ports websites; even though the application is trustworthy, there is a possibility that some malware could try to use a known app to get out. Thus, by creating limits to these things (like Windows Updater, etc) you limit the “damage” a malware could potentially cause. There’s info about this at Firewall Leaktester.

Hope that helps provide you some more stuff to think about, and feel secure in what you do with your system.


True enough. That’s why I’m relying on CPF (currently what I’m using, soon to be CFP 2.4)'s certified database to figure out all of that for me. But if doesn’t specifically pick which ports, so be it. I’m definitely not (:NRD) enough to figure out or spend time figuring out tight rules like that :stuck_out_tongue: If I’m expected to manually configure my apps to this extent then it seems that a router maybe a better option :THNK

Edit: Yes, it was you LM. Thanks. I didn’t want to post names without prior authorization :o

Hi, I also have a question regarding ICMP port unreachable alerts.

I get lots of them with the default setting for CPF, especially when I’m using utorrent. Is it okay to allow both incoming and outgoing rules for ICMP port unreachable? Right now I have incoming allowed and would like to know if it is okay to allow outgoing as well. I’m afraid all the ICMP denied alerts are clogging up my connection and slowing it down.

It seems that with some p2p apps you have to have both in & out ICMP Port Unreachable in order to get the green light. However, you’ve at least got it limited to one specific port, so that port will only be open when uTorrent’s using it (you set a very high port, it’s unlikely to be called for a regular application).


Yes. It’s even safer than incoming. I have allowed a network rule for outgoing ICMP - Port Unreachable. (The other one I have is outgoing ICMP - Echo Request) I’ve read one post by egemen that it’s more suitable for us p2p users. If I remember correctly, it certainly helps to reduce the logs in cases where you close uTorrent, but your connections are still active for some period.

LM, you are fast as the others claim. Replied before I could (CNY)

Thanks for the info guys!

LOL, it’s because I’m not a coder, I’m an administrator - I use all my fingers when I type (and maybe toes, too), and I’m pretty fast at it… :THNK

Next ICMP question, I’ll slow down, so you’ve got a chance to get to it. ;D


LOL, no way, that’s too complicated. Besides, not enough room on the desk for all that, along with all my other junk.