ICMP firewall rule

Hey,

another question :slight_smile:
I red, that it makes sense to allow ICMP, but is it wise to allow it for everybody and everywhere (because of the “ping of death”)?

I want to restrict it just to my clients in GREEN, RED and ORANGE. So I make a group with them and allow ICMP to all networks without NAT. Does it makes sense?

Best regards
fstarter

Can’t fully answer this.
But you can rate limit the firewall rule
At the bottom
Under additional settings.
Hope that helps.
Very new at this myself.

The allowance/blocking is a broadly discussed topic.
Short result: it depends. There situations, where blocking helps, other where it hinders. But in no scenario it hurts really to allow ICMP.
Thus it is okay, just to allow this traffic. My opinion.

You can search for these discussions in the community, to get your own sight of this aspect.

2 Likes

Ok, I will look for it.
But if I want to allow it,

  1. does it makes sense to restrict it just to the clients in the network (maby even without windows PC?)?
  2. and do I need access to all networks for ICMP or is it useful just to allow for some and not for others? For example for GREEN and BLUE, but not for ORANGE.

#Edit: by the way, I can ping within my network almost without any extra rule for ICMP. But the log shows that the automatic ping between the REDipfire and the provider router is droped. Is it normal?

No, this is not normal. ICMP between IPFire and provider router should not be blocked ( by FW rules ). This is one case, where ICMP is essential. ICMP is used to check whether a client ( in the sight of the provider ) is online/active. This is comparable to the door bell. If someone is at home, you expect that the door is opened.

it worked for years, as it seems without problems… hmm…
I made a rule now for the firewall to get to all networks via ICMP.

by the way… whats about IGMP?