ICMP Type: 8, Code: 255(?)

Hello world,

I'm attempting to fine-tune our ICMP policies. An ISP is reporting that their IPv4 ICMP Ping Test has failed despite me using the default packet filter Ping policy (type:8, code: 255) and allowing their address blocks to hit our client's external addresses. However their suggested way of testing the connection via their website reports that the ping test are actually successful. Regardless I went down the rabbit hole of ICMP types and codes.

(Referencing: https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml)

  1. Would I potentially also need to allow Ping type 0 for echo reply or is that unnecessary?

  2. For Type 8 - what does "code: 255" define? From the above IANA link, there doesn't seem to be any code for ICMP Type 8?

Thanks!
M.

Comments

  • Turns out the ISP tripped the Port Scan Attack threshold and was auto-blocked..lol

    Addressed that, still curious about the code: 255 and if there is a need for Type: 0 ?

  • james.carsonjames.carson Moderator, WatchGuard Representative
    edited August 2019

    Hi @Masters

    1. In the case of pings, the reply would be generated from the "any from firebox" rule, and does not need an additional rule. If you have logging enabled for traffic sent from this device turned on in Setup -> Logging -> Diagnostic Log Level you can see this in traffic monitor.

    2. Code 255 is the Firebox's way of defining any. Code 255 was later defined as a reserved space by IANA, and there is a feature request (FBX-4218) to define this as "any" vice "code: 255."

    Adding the ISP's IPs to the blocked sites exception list should keep if from being added to blocked sites.

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • edited August 2019

    Reply packets are always automatically allowed.

  • Roger that, thanks James & Bruce!

Sign In to comment.