Outbound ICMP Echo Request stateful bug?

I’ve noticed that my computer (running CPF in certain situations would start responding to incoming ping requests without having any network rules that should allow this. After investigating this, I was able to observe the following behaviour:

If you make a rule that allows outbound ICMP echo requests (like rule #1 in the default rules), then when you send ICMP echo requests to another host, incoming echo replies from that host will be statefully allowed, as one would expect. However, that stateful rule also seems to allow incoming echo requests from that host as well, and your host (running CPF) will reply to these. This rule will last for a while until it times out or CPF is restarted. It doesn’t matter if you have a rule that explicitly blocks incoming ICMP echo requests, since it’s being statefully allowed by the outbound rule.

Shouldn’t CPF’s stateful inspection engine in this context only allow incoming ICMP echo replies?

EDIT: And possibly also allow related ICMP Destination Unreachable messages.

Yes but it does not do full stateful inspection for ICMP protocol. Full stateful inspection is only for TCP.

Thanks for the reply. Maybe I’ll post such a feature in the wishlist then ;).

I’ve tested this with Windows Firewall too and it looks like it’s doing full stateful inspection for ICMP.

But it’s not that big an issue, really. It’s just that this had me puzzled for a while. I was pinging my computer from another computer on my LAN while it was booting to check stealth. Then suddenly, just after logging in, it started replying to the pings :o and then stopped again when the CPF tray icon appeared. But ports were still filtered. It turns out that it was one of the MS LAN services that sent a ping request to the other computer since I had mapped to a file share on it earlier, thereby opening the “ping hole” :).


Sure feel free to add this to the wishlist. But this is hardly a hole. Because ping requests are used to know if your host is live or not. When you ping another computer, that computer will already know you are online. Thus, it will not gain any additional data it can not have before. But if the pinged host starts a sort of DOS attack or similar with ICMP protocol, CPF will still detect and react accordingly.


Thanks Egemen, but I’m aware of that. I’m sorry if I somehow gave the impression that I believed this to be a hole or weakness. I agree, this issue is of little or no practical consequence. I suppose I’m just being picky about (nonessential) details. (:NRD)

I’m sure there are other issues and requested features to address that are more important than this.

Keep up the good work. (B) (R)

Best regards,