[Openswan Users] Firewall rules for openswan behind NAT
Neal Murphy
neal.p.murphy at alum.wpi.edu
Wed Nov 13 15:19:36 UTC 2013
On Wednesday, November 13, 2013 11:49:14 AM Fred Weston wrote:
> Let me clarify – when I reference ports/protocols that I’m allowing
> inbound, I’m allowing it from the opposite host and not specifying a
> source port.
>
> Is ICMP required for functionality or only for ease of troubleshooting?
> Typically I only allow it if I need it for some reason.
Without ICMP, your network will still run; it may just run slowly.
Most of ICMP messages are required for proper network operation. It is how a
router informs node behind it that an address isn't reachable. It is how
firewalls inform nodes of invalid requests and how they shut down existing
conns.
About the only parts of ICMP that are not required are the ECHO request and
reply messages.
More information about the Users
mailing list