Tobias Weingartner wrote:
quoted text
> Chad M Stewart wrote:
>>  On Apr 25, 2007, at 11:05 AM, Allen Theobald wrote:
>>> pass in inet proto icmp all icmp-type $icmp_types keep state
>>  This can be used as a covert communication channel.  Allowing  
>>  internal IPs to send/receive ping is bad.
> 
> Bull.  Not allowing ICMP is just as bad.  Worse actually, as you
> are violating RFCs.  Quit spreading this FUD.
> 

As very often in this world, none of these points of view is absolutely
perfect in all situations.

Regarding violation of RFCs, I found RFC 1812, which states that routers
have to implement echo replies, but one should be able to switch them off:


RFC 1812 "Requirements for IP Version 4 Routers", page 57/58:

4.3.3.6 Echo Request/Reply

    A router MUST implement an ICMP Echo server function that receives
    Echo Requests sent to the router, and sends corresponding Echo
    Replies.  A router MUST be prepared to receive, reassemble and echo
    an ICMP Echo Request datagram at least as the maximum of 576 and the
    MTUs of all the connected networks.

    The Echo server function MAY choose not to respond to ICMP echo
    requests addressed to IP broadcast or IP multicast addresses.

    A router SHOULD have a configuration option that, if enabled, causes
    the router to silently ignore all ICMP echo requests; if provided,
    this option MUST default to allowing responses.


Andreas