Hello B. Nice and all.
I disagree fundamentally with Mr. Gottschalk's recommendation to use what amounts to "Default Allow" firewall policies.
Mr. Gottschalk wrote "You should never "stealth" any port until you have explicit reason to do so." This is an example of a "Default Allow" policy.
I believe in using "Default Drop" policies for all of my firewalls. As far as I am aware using INBOUND and OUTBOUND Default Drop policies are the Most Secure default firewall configurations. One has to know what traffic they wish to allow , and add deliberate and specific firewall-rules to allow it. It's a very educational process , because you cannot use any facet of the Internet until you know exactly which protocols and/or (TCP/UDP) ports you wish to use.
Imagine a door-lock for a house or an apartment , under what would be similar to a "Default Allow" policy , everyone would be able to unlock your door EXCEPT those persons whom you have specifically listed and barred from entry. Who would wish to have to list the 6-Billion odd people extant on the planet just to be able to prevent their entry? Under a similar scenario with a "Default Drop" policy ALL (those 6-Billion+) are denied entry UNLESS they have been specifically added to a list to be given entry (to be given a key lets say).
Mr. Gottschalk's recommendation to the original poster was to allow the traffic to and from the poster's computer to the extent that his ports would be "unstealthed". Later Mr. Gottschalk mentioned that:
"I've got a box that runs Windows from time to time. By default it would only react to ICMP codes 0,3,4,5,8,11,12,17 and 18. I configured it to not react to code 5, 17 or 18. The other ones aren't dangerous in any way. ..."
Maybe I missed it somewhere , but I don't recall Mr. Gottschalk warning the original poster that (perhaps especially under Windows environments) ICMP codes 5 , 17 , and 18 are dangerous. Did he make it clear to the original poster?
With Default Allow all is allowed (unless you know exactly what you wish to Disallow and then add the appropriate firewall-rule).
My advice wouldn't have left the original poster open to problems related to ICMP codes 5 , 17 , and 18.
Perhaps today there are dangers using ICMP codes 3 , 8 , and 12?
Perhaps tomorrow there will be attacks using 0 , 4 , 8 , and 11?
Things change constantly , new attacks are formulated constantly.
I'm quite content using a Default Drop stance.
My advice (again) is to do similarly , add rules to allow the traffic you absolutely must have , then add other traffic when and only when you FULLY UNDERSTAND what you are allowing. To do otherwise you truly must be an expert , and I mean having the ability to know of all possible attacks that are available instantly (and being able to change your firewall configurations instantly). I personally feel that having a secure firewall is NOT possible using defaults that blindly allow traffic.
Perhaps Mr. Gottschalk or some others are even more omnipotent than they could imagine. One would have to be to be able to track and respond to varying attack-methodologies second-by-second. Does anyone know what the dangerous ICMP codes are for today? Some find philately or numismatic-pursuits to be more relaxing hobbies. To each his (or her) own.
N.B. I assume that any who actually have a need to use ICMP or TCP RST or anything else will take the time and perhaps the Great Effort to be able to use these things securely. I elect not to use them. Some things can be Mastered. Some other things are perhaps best Not to master (nor to use). Cost-benefit and risk-reward analyses are your friends.
P.S. RE: Volker Birk (x2)
1) Many ISP's disable or curtail ICMP in their routers. If you are near to such routers (as I believe I am) there will be no forthcoming ICMP Host Unreachable messages. Even for those routers that do give these messages , would-be attackers would have no idea whether you were a home PC or some networked refrigerator or toaster. OS-fingerprinting relies on being able to receive packets (probably preferably TCP SYN packets) from potential targets , I choose not to emit ANY packet to anywhere without a valid reason.
2) Substantiate which? I advocate a Default Drop firewall stance. Those using Default Drop policies will be "stealthed" by default , they will be emitting packets only according to the specific firewall-rules that they write , rather than to anyone or anything on the planet that wishes to scan or probe them.
You and some others advocate sending packets out to anyone for no articulated security or other advantage. It is always less secure to allow traffic blindly. It is indeed bizarre to allow traffic for absolutely no advantage or reason.
My systems and my Internet connection are highly-stable. I can leave my machines on and my connection up for days at a time with nothing but a steady and reliable exchange of data. Perhaps any performance-degradation when not allowing certain types of traffic is idiosyncratic to your particular equipment or configuration.
I am a home user , but a number of reports both here and elsewhere seem to indicate that many larger networks also do not require that which you and others are advocating.