My question is Should a firewall let all ICMP traffic through because there is no real risk if they do?
+++++Here is the thinking behind my question: Robin Walker's cable modem webpages at
look to me as if they are technically sound. But they are a few years old. I would like to know what people think about the advice he gives about ICMP traffic and if it is still true these days.
He suggests that firewalls should let all ICMP traffic through and that there is no real risk if they do that. At
------------------- START QUOTE -----------------
STEALTH-MODE FIREWALLS CONSIDERED HARMFUL
Some firewalls have a hiding mechanism they call stealth. ... In stealth mode, the firewall causes the PC just to ignore incoming connection attempts, rather than rejecting them, as would be normal for incoming connection attempts to closed ports.
... causes some difficulties. For a start, Internet standard RFC 1122 states categorically about ICMP Echoes (ping):
"3.2.2.6 Echo Request/Reply: RFC-792. Every host MUST implement an ICMP Echo server function that receives Echo Requests and sends corresponding Echo Replies."
So you are strongly advised not to apply stealth techniques to the ICMP protocol.
A commonly heard objection to allowing ICMP Echo Replies is that it gives away information to hackers that there is a live connection on this IP address. Such objections are not well-founded, and can be safely ignored.
There is no evidence in practice that any hacker has been aided by the presence of an ICMP Echo Reply.
Hackers do not typically write code that tests an address with ICMP Echo before launching a hostile probe: they always send the hostile probe directly: either it works or it doesn't, and information from ICMP adds nothing to the analysis.
------------------- END QUOTE -----------------
So Should a firewall let all ICMP traffic through? Is it ok to do that?