On 4/Mar/19 09:12, Radu-Adrian Feurdean wrote:
Can we make a short rule that says: For ICMP, *ALLOW* *ALL* unless you do have a very specific and motivated reason to block some types. I would even go as far as "allow all icmp from any to any" (and if possible as the first firewall rule), but I do understand that may make some people have hives.
Not to be the wet blanket, but we've be crying about this since before I knew what CLI meant, and it either didn't work or has gotten even worse. That is how we ended up with all manner of hacks to work around failure to reliably deliver PTB messages. We've been crying about the same during the IPv6 era, and we appear to be running the same hacks for it too. Is there any reason to expect things to change given the continued "crying about it" approach? Just look at what I had to (unhappily) do over the weekend :-(. I don't have the answers yet, but just because it now ends with a "6", doesn't mean we shall necessarily drop our IPv4 bad habits. Perhaps it's time to consider a different approach, if we don't want to resign ourselves to the death of ICMP as we know it, and simply talking about what could have been had its full potential been realized. Mark.