ICMP Rules

Hi. Just installed 5.8 and re-entered all my firewall rules. I use Proactive Security and am behind a router. I’m wondering if I have ICMP optimised as follows and if they are in the right order (just showing summary of each rule):

Global Rules:

Allow ICMP In Type 0 “Echo Reply”
Allow ICMP In Type 3 “Port Unreachable”
Allow ICMP In Type ? “Fragmentation needed”
Allow ICMP In Type 11 “Time Exceeded”

Allow ICMP Out Type 3 “Port Unreachable”
Allow ICMP Out Type 8 “Echo Request”

Block ICMP In/Out…Where ICMP Message is Any

Presumed I need to give svchost permission to generate Any ICMP outgoing to be controlled by Global rules…

Application Rules:

svchost.exe Allow ICMP Out Type “Any”

BTW, what is the type and code for ‘Fragmentation Needed’. Just curious.

Any help appreciated ;D

What do you need ICMP traffic for?
Especially echo request and reply, as examples? Its like saying, HELLO, to everyone who randomly will ask for it.

Try the stealth port wizard setting 3, and look in the global rules after. If everything work, let it like that. You can erase the allow all outgoing rule from the global rules. Is not needed.

Your router should allready filter the most ingoing icmp attempts himself.
Doesnt svchost work, when it cant send or receive icmp traffic? I dont think that updates are requested by pings.
As long as something works fine with a secure rule, keep it secure.

That pretty much mirrors the configuration I currently use and should cover you pretty well.

Presumed I need to give svchost permission to generate Any ICMP outgoing to be controlled by Global rules...

You should only need ICMP Type 8 - Echo Request for svchost and that’s only related to Windows updates. and Nlasvc.

Application Rules: ------------------------ svchost.exe Allow ICMP Out Type "Any"

See above.

BTW, what is the type and code for 'Fragmentation Needed'. Just curious.

Any help appreciated ;D

Type 3 Code 4

This is a very useful reference.


Hi. I agree…which is why I don’t have outgoing Type 0. Admit I don’t know why I had outgoing Type 3. ;D Found it in a Wilders rules suggestion thread.

Your advice about deleting the Global 'Allow All Out" is interesting. I originally deleted it, but on later upgrade reinstalls I’ve left it at the bottom of my Global list. I presume its need depends on what global block rules you create that might stop wanted outgoing? This stuff makes my eyes swim. :-\


Thanks for clarification on ICMP rules and link. :-TU

About the allow all outgoing default rule in global rules:
A not existing rule in global rules doesnt produce a question or a block. In contrast to application rules.
So, if you erase an outgoing allow all rule in global rules, nothing changes :wink: (But this rule can make all your block rules there invalid, as long as it stands on top of them. So i would say, this rule is not only useless, its dangerous for your ruleset, if you dont realize that any block under it would be invalid without sign).

But if you make a block rule, and want to make an exception for this rule, you need to put an “allow outgoing for a specific case” on top of the block rule. But for sure not “allow all outgoing”.
This rule makes no sense like it is per default in it, and it can prevent your global rules set to be valid if this rule set contains blocks under the default allow rule!

About ICMP:
I manage a computer that has to “run on its own”, and i just let the two ICMP rules stand in global rules which come after using the stealth port wizard setting 3. I use high alarm settings, so i would get notified for svchost trying to use ICMP while updating. The updates run like they should. No ICMP needs to be allowed for that. No other protocoll than TCP or maybe UDP.
Try it for yourself, and tell me if i am wrong.
I play games, use the internet, get updates, and i never missed to have ICMP allowed.
Allowed are two kinds of ICMP ingoing, fragmentation needed and time exceeded, (wizard setting 3),
Blocked are, placed under this rule: Any ICMP in and out.

I’ll delete the Global Allow All Out as you suggest. :slight_smile: I’ve done away with svchost’s ICMP Type 3 out but I’m too set in my ways not to keep the Type 8 rule. 88)

Random someone in the internet: Hello?
Your computer: Heyyyyy, whats up?

Looks strange, doesnt it?

Mostly its a good advice to act in the internet like you would act in the streets. But with even more caution as you dont see the other one direct, just by what hes telling.
As you are not alone in the internet, but need a computer for it, you should instruct him to act like you would :slight_smile:

Why should your computer answer to an echo request? And then, why should he receive these requests at all?

On Windows 7, there are actually several occasions where svchost may make an Echo request to one of two Microsoft addresses:

During boot as part of NLASvc
As part of Network Diagnostics
As part of a Windows update check. I believe this is specifically related to the root store update check

Whether you choose to create a rule for svchost that specifically allows ICMP Typ4 8 out to these addresses is entirely your decision.

Unfortunately, there’s a great deal of mythology surrounding ICMP, it’s function and use, most of it completely inaccurate, but I guess it’s easier to just believe the hype than do some research :slight_smile:

Which hype, and why do you think i would believe a hype? I tested, and acted related to the results.
If something is not necessary, it can be disabled. And if this disabling could INcrease security, or can DEcrease the useage of the processor which would have to process ICMP things, why on earth should i choose the opposite?
Its a choice with benefit, its not following a hype.

Comodo would not ask while boot attempts. I was told, it would block pre-attempts.

You dont need to diagnost the internet :wink: , and the internet has no business to diagnost you.

It’s entirely your prerogative to create rules for whatever you deem necessary, as it is for anyone else.


I hijack this older but very informative thread since our forum VIP’s are / were involved and may be I can get good answers to the very noobish question:

Can I use the ICMP rules suggested above and block any! ICMP-IP6 raffic (tcp/udp/icmp… what so eveR)?

I am really no techie but I think since I have a hand full of Win7 and some Linux PCs in out lan that I might do best to leave ICMP6 enabled on the windows machines. However, doing so might our lan experience be good :slight_smile: but I do not want to allow IP6 traffic going outside our lan. I think we dont need it.

Is this worth doing and possible to do so?

thanks alot!

Unfortunately, the support for ICMPv6 filtering in CIS is virtually non-existent and the aforementioned rules are only for ICMPv4. If you’re having problems using IPv6 between your linux and Windows systems and you feel the firewall is the cause, the best you can do is create some very generic rules to allow LAN traffic.