My co-worker Rene stated some time ago: “If someone is filtering ICMP, he does not understand the Internet.”I have to agree with that most of the time: I don’t want my Firewalls to show up in a traceroute or reacting to echo requests, that’s why I have my stealth rule. But there are ICMP messages that should not be filtered to ensure connectivity.

The best example is ICMP type 3 code 4: “fragmentation needed and DF set” (refer to RFC792 for details).As you know, fragmentation causes a performance impact and should be avoided.But sometimes you need to fragment in order to get the connection up and running.

The last time I saw an error related to an MTU issue, it was when accessing an SSL encrypted website. The first packets were exchanged without any problems.The problem showed when the SSL certificate was actually exchanged and generated a bigger packet which couldn’t pass a router.The router send an ICMP message notifying about the need of fragmentation, which was filtered by the Firewall.