ICMP Cheatsheet :: src : http://www.luckydragon.net/tech/icmp-cheatsheet.html ############################################################################### Allow the following ICMP Types: * Echo Request (Type 8) * Echo Reply (Type 0) * Source Quench (Type 4) * Time Exceeded (Type 11) * Destination Unreachable (Type 3) - STRONGLY RECOMMENDED * Parameter Problem (Type 12) Linux iptables iptables -t filter -A INPUT --protocol icmp --icmp-type echo-request -j ACCEPT iptables -t filter -A INPUT --protocol icmp --icmp-type echo-reply -j ACCEPT iptables -t filter -A INPUT --protocol icmp --icmp-type source-quench -j ACCEPT iptables -t filter -A INPUT --protocol icmp --icmp-type time-exceeded -j ACCEPT iptables -t filter -A INPUT --protocol icmp --icmp-type destination-unreachable -j ACCEPT iptables -t filter -A INPUT --protocol icmp --icmp-type parameter-problem -j ACCEPT List all ICMP types: iptables -p icmp -h Cisco PIX 7.x, ASA 7.x Cisco PIX 6.x access-list acl_outside line 1 remark # ICMP Stuff ## access-list acl_outside line 2 permit icmp any 192.168.7.0 255.255.255.0 echo access-list acl_outside line 3 permit icmp any 192.168.7.0 255.255.255.0 echo-reply access-list acl_outside line 4 permit icmp any 192.168.7.0 255.255.255.0 source-quench access-list acl_outside line 5 permit icmp any 192.168.7.0 255.255.255.0 time-exceeded access-list acl_outside line 6 permit icmp any 192.168.7.0 255.255.255.0 unreachable access-list acl_outside line 7 permit icmp any 192.168.7.0 255.255.255.0 parameter-problem * ICMP Type Numbers Type Name Reference ---- ------------------------- --------- 0 Echo Reply [RFC792] Codes 0 No Code 1 Unassigned [JBP] 2 Unassigned [JBP] 3 Destination Unreachable [RFC792] Codes 0 Net Unreachable 1 Host Unreachable 2 Protocol Unreachable 3 Port Unreachable 4 Fragmentation Needed and Don't Fragment was Set 5 Source Route Failed 6 Destination Network Unknown 7 Destination Host Unknown 8 Source Host Isolated 9 Communication with Destination Network is Administratively Prohibited 10 Communication with Destination Host is Administratively Prohibited 11 Destination Network Unreachable for Type of Service 12 Destination Host Unreachable for Type of Service 13 Communication Administratively Prohibited [RFC1812] 14 Host Precedence Violation [RFC1812] 15 Precedence cutoff in effect [RFC1812] 4 Source Quench [RFC792] Codes 0 No Code 5 Redirect [RFC792] Codes 0 Redirect Datagram for the Network (or subnet) 1 Redirect Datagram for the Host 2 Redirect Datagram for the Type of Service and Network 3 Redirect Datagram for the Type of Service and Host 6 Alternate Host Address [JBP] Codes 0 Alternate Address for Host 7 Unassigned [JBP] 8 Echo [RFC792] Codes 0 No Code 9 Router Advertisement [RFC1256] Codes 0 Normal router advertisement 16 Does not route common traffic [RFC2002] 10 Router Selection [RFC1256] Codes 0 No Code 11 Time Exceeded [RFC792] Codes 0 Time to Live exceeded in Transit 1 Fragment Reassembly Time Exceeded 12 Parameter Problem [RFC792] Codes 0 Pointer indicates the error 1 Missing a Required Option [RFC1108] 2 Bad Length 13 Timestamp [RFC792] Codes 0 No Code 14 Timestamp Reply [RFC792] Codes 0 No Code 15 Information Request [RFC792] Codes 0 No Code 16 Information Reply [RFC792] Codes 0 No Code 17 Address Mask Request [RFC950] Codes 0 No Code 18 Address Mask Reply [RFC950] Codes 0 No Code 19 Reserved (for Security) [Solo] 20-29 Reserved (for Robustness Experiment) [ZSu] 30 Traceroute [RFC1393] 31 Datagram Conversion Error [RFC1475] 32 Mobile Host Redirect [David Johnson] 33 IPv6 Where-Are-You [Bill Simpson] 34 IPv6 I-Am-Here [Bill Simpson] 35 Mobile Registration Request [Bill Simpson] 36 Mobile Registration Reply [Bill Simpson] 39 SKIP [Markson] 40 Photuris [RFC2521] Codes 0 = Bad SPI 1 = Authentication Failed 2 = Decompression Failed 3 = Decryption Failed 4 = Need Authentication 5 = Need Authorization ICMP(Types/Codes) Testing Destination Reachability & Status (0/0) Echo-Reply (8/0) Echo Unreachable Destinations (3/0) Network Unreachable (3/1) Host Unreachable (3/2) Protocol Unreachable (3/3) Port Unreachable (3/4) Fragmentaion Needed and DF set (Pkt too big) (3/5) Source Route Failed (3/6) Network Unknown (3/7) Host Unknown (3/9) DOD Net Prohibited (3/10) DOD Host Prohibited (3/11) Net TOS Unreachable (3/12) Host TOS Unreachable (3/13) Administratively Prohibited (3/14) Host Precedence Unreachable (3/15) Precedence Unreachable Flow Control (4/0) Source-Quench [RFC 1016] Route Change Requests from Gateways (5/0) Redirect Datagrams for the Net (5/1) Redirect Datagrams for the Host (5/2) Redirect Datagrams for the TOS and Net (5/3) Redirect Datagrams for the TOS and Host Router (6/-) Alternate-Address (9/0) Router-Advertisement (10/0) Router-Solicitation Detecting Circular or Excessively Long Routes (11/0) Time to Live Count Exceeded (11/1) Fragment Reassembly Time Exceeded Reporting Incorrect Datagram Headers (12/0) Parameter-Problem (12/1) Option Missing (12/2) No Room for Option Clock Synchronization and Transit Time Estimation (13/0) Timestamp-Request (14/0) Timestamp-Reply Obtaining a Network Address (RARP Alternative) (15/0) Information-Request (16/0) Information-Reply Obtaining a Subnet Mask [RFC 950] (17/0) Address Mask-Request (18/0) Address Mask-Reply Other (30/0) Traceroute (31/0) Conversion-Error (32/0) Mobile-Redirect Ref: [RFC 792] [RFC 896] [RFC 950] [RFC 1016]