Filter
Top Products
Packet Filters 8-15
Filtering ICMP packets
ICMP packets can only be filtered by type. So, the only option
is:
type <icmp message type>
The ICMP message types are listed below. Note that most of
them are error messages necessary for the correct operation of
TCP/IP:
Type Description
0 Echo Reply (Ping)
3 Destination Unreachable
4 Source Quench
5 Redirect (change route)
8 Echo Request (Ping)
11 Time Exceeded for a Datagram
12 Parameter Problem on a Datagram
13 Timestamp Request
14 Timestamp Reply
15 Information Request
16 Information Reply
17 Address Mask Request
18 Address Mask Reply
If you are concerned about security, filter out incoming type 5
messages. Sending ICMP redirects is an easy way for a vandal
to change your routing tables.
deny icmp type 5
Although PING is useful for troubleshooting, it allows a poten-
tial intruder to obtain a map of your network by systematically
pinging every possible address. If you think this is a security
risk, then filter out incoming type 8 packets or outgoing echo
replies (type 0).