Ok to let all ICMP traffic through firewall?

Maybe not all ICMP, but I'm inclined to allow ping unless there is a good reason not to.

When ping and traceroute are allowed it saves a great deal of time and effort. This eventually saves $$. Fewer people are involved in troubleshooting, fewer phone calls, etc. etc.

For example, "I can't FTP to x.x.x.x" is now a ticket which is likely to involve the "firewall guy" since there is no ping. This could be a very simple matter if only you could ping the server.

When the network get very complicated some security is lost. Mistakes are made because not everyone understands all aspects of the network.

Ping of death is quite old now and not likely to resurface. I would make a judgment call on this issue. If you need very high security then I'd turn it off, otherwise I'd focus on more pressing issues like silencing my telephone and shuffling my email. :)

Scott R. Haven Sr. Systems Engineer Paisley Systems Inc. managed services, consulting, and support

The first rule of security is that you don't allow traffic in either direction UNLESS YOU HAVE A NEED.