Hello everybody. First, sorry english is not my native language so my message can sound a bit weird at tim. I'm running a Web server with the following additionals services :

- FTP
- SSH
- SMTP
- POP3
- IMAP
- HTTPS
- MySQL

I'm using iptables to block anything, but the ports necessaries to keep the above services functionnals. But when come time to decide what to filter on the ICMP protocol I don't know exactely what is good to block (if anything to block). From what I had read so far it seems that a lot of people seems to think that it's security wise to block the whole ICMP protocol (it's what I'm thinking too) but there are other people saying that doing is making your server not RFC compliant and it's can cause problems. But what can kind of problems exactely? I don't care if someone can't ping my server (in fact it's what I want) but I care if blocking ICMP can cause problem with my essentials services running on my server. From what I understand ICMP is only a diagnostic protocol and it's not supposed to affect the services running on my server, but I just want to be sure. For example is that possible that blocking ICMP can cause problems to a customer to send to me an email because a router try to diagnostic my server and my server reply nothing and the router finally think "this host is down or don't exist". Is something like that possible to happens? Thanks!

If you drop all ICMP than you break PMTU (Path MTU discovery). That means the other end of the connection can't discover if they can safely increase their MTU, or if they need to decrease it. Basically your network performance and reliability might be degraded in certain circumstances.

You should probably allow at least type 3/code 4, and possibly type 11/code 0 (just from glancing over the table in TCP/IP Illustrated).

By the way, why are you allowing external access to MySQL? Are you sure that's absolutely necessary? Your webserver should definitely not need to allow outside connections to that in order for your site to work. If dynamic content on the page is being generated by database queries, more than likely those are either happening on UNIX sockets, or connections to the loopback adaptor (127.0.0.1), so it should be fine to shut off external access (and that should improve security dramatically, because there are a lot of evil things you can do to an exposed database).

Hi chort! Thanks a lot for your reply. I will try to let pass only type 3/4 and 11/0 like you have mentionned. For MySQL you is absolutely right, but I have one or two things to verify before blocking it from the exterior. Thanks A LOT for your suggestions it's help me and give me confidence that I'm going to do the right things for my server. Thanks!