by protocolture on 5/21/2025, 11:41:30 PM
by isatty on 5/22/2025, 1:16:50 AM
No, don’t block ICMP.
Also, implement ssl because it’s trivial and prevents garbage isps from injecting ads.
Third, how about no ads to begin with?
by bastard_op on 5/22/2025, 1:25:49 AM
Blocking ICMP tends to come with blocking ICMP Unreachables, that happens to handle Path MTU Discovery (PMTUD), which you definitely want on if you work around VPN's at all, or certain ISP's that might not allow a full 1500 byte frame. Microsoft loves to particularly set application traffic to Do-Not-Fragment, and this will play chaos on many Microsoft things if PMTUD is disabled around reduced MTU environments.
It's best left on at least inside a private/protected network.
by rfl890 on 5/22/2025, 12:26:38 AM
Clicked expecting a fat "NO", wasn't even surprised when I saw it.
by truekonrads on 5/22/2025, 12:45:22 AM
Path MTU discovery lives off ICMP. Block ICMP and expect connections to fail.
by taikahessu on 5/21/2025, 11:39:49 PM
Should I block port 80?
by DigitallyFidget on 5/27/2025, 9:18:03 PM
Genuine question here: what's the actual benefits of blocking icmp?
Not asking "Why should I leave it on", I'm specifically asking for legitimate valid use cases for disabling it.
I really can only think of one, abd that's if your server just gets a relentless amount of pings that it takes up a significant portion of your bandwidth. (There was a news article about a news site in Australia, I think, that had that happen)
by paffdragon on 5/22/2025, 1:30:15 AM
I am not a network engineer, but when I hear ICMP, I associate it with consuming CPU on my shitty router and DDos potential. I only block ICMP for unknown external traffic (response to packets not otherwise blocked by firewall, then aggressively rate limit that) and allow it internally. I used to go overboard in the past and learned how annoying it is to not being able to do a simple ping...
by babuloseo on 5/21/2025, 11:38:05 PM
Its like me blocking youtube on hosts file or even on Pihole or related manually. I realize blocking youtube BREAKS a lot of things in the network.
by guyzero on 5/21/2025, 11:48:23 PM
shouldiimplementssl.com
by paulnpace on 5/22/2025, 12:52:14 AM
I don't know people focus on blocking protocols when IP addresses are more useful. I've blocked most of DO's IP address space and it really cleaned up the logs.
by rabbitofdeath on 5/22/2025, 12:40:21 AM
thankfully its pingable ¯\_(ツ)_/¯
$ ping shouldiblockicmp.com PING shouldiblockicmp.com (52.92.225.139) 56(84) bytes of data.
64 bytes from s3-website-us-west-2.amazonaws.com (52.92.225.139): icmp_seq=1 ttl=241 time=75.3 ms
by deepsun on 5/23/2025, 10:52:50 PM
Should I block ICMPv6?
by BLKNSLVR on 5/22/2025, 1:00:44 AM
I unapologetically block ICMP from sources I consider to be trash.
Nothing worth keeping has broken as a result.
by MaxGripe on 5/21/2025, 11:39:16 PM
Yes
by IAmNotACellist on 5/21/2025, 11:50:24 PM
That's why I only use urinals with dividers, to block ICUP
ISP: No you should definitely have ICMP available for testing.
SAAS Engineer: Leave it on so I can tell when your shit goes down without having to consult your service status page.
Sysadmin: I really dont care what you do, just enable it when you raise a complaint with your ISP so they can tell you what you broke.
Residential: Your TP Link hyper dreadnought super hawk that is taking up every inch of the 5ghz indoor spectrum in your home is probably already blocking icmp for you. Its probably also already part of a botnet. YMMV.