[Openswan Users] Firewall rules for openswan behind NAT

Neal Murphy neal.p.murphy at alum.wpi.edu
Wed Nov 13 15:19:36 UTC 2013

On Wednesday, November 13, 2013 11:49:14 AM Fred Weston wrote:
> Let me clarify – when I reference ports/protocols that I’m allowing
> inbound, I’m allowing it from the opposite host and not specifying a
> source port.
> Is ICMP required for functionality or only for ease of troubleshooting? 
> Typically I only allow it if I need it for some reason.

Without ICMP, your network will still run; it may just run slowly.

Most of ICMP messages are required for proper network operation. It is how a 
router informs node behind it that an address isn't reachable. It is how 
firewalls inform nodes of invalid requests and how they shut down existing 

About the only parts of ICMP that are not required are the ECHO request and 
reply messages.

More information about the Users mailing list