ICMP Cheatsheet
Allow the following ICMP Types:
- Echo Request (Type 8)
- Echo Reply (Type 0)
- Source Quench (Type 4)
- Time Exceeded (Type 11)
- Destination Unreachable (Type 3) - STRONGLY RECOMMENDED
- Parameter Problem (Type 12)
Linux iptables
iptables -t filter -A INPUT --protocol icmp --icmp-type echo-request -j ACCEPT
iptables -t filter -A INPUT --protocol icmp --icmp-type echo-reply -j ACCEPT
iptables -t filter -A INPUT --protocol icmp --icmp-type source-quench -j ACCEPT
iptables -t filter -A INPUT --protocol icmp --icmp-type time-exceeded -j ACCEPT
iptables -t filter -A INPUT --protocol icmp --icmp-type destination-unreachable -j ACCEPT
iptables -t filter -A INPUT --protocol icmp --icmp-type parameter-problem -j ACCEPT
List all ICMP types: iptables -p icmp -h
Cisco PIX 7.x, ASA 7.x
Cisco PIX 6.x
access-list acl_outside line 1 remark # ICMP Stuff ##
access-list acl_outside line 2 permit icmp any 192.168.7.0 255.255.255.0 echo
access-list acl_outside line 3 permit icmp any 192.168.7.0 255.255.255.0 echo-reply
access-list acl_outside line 4 permit icmp any 192.168.7.0 255.255.255.0 source-quench
access-list acl_outside line 5 permit icmp any 192.168.7.0 255.255.255.0 time-exceeded
access-list acl_outside line 6 permit icmp any 192.168.7.0 255.255.255.0 unreachable
access-list acl_outside line 7 permit icmp any 192.168.7.0 255.255.255.0 parameter-problem
* ICMP Type Numbers
Type Name Reference
---- ------------------------- ---------
0 Echo Reply [RFC792]
Codes
0 No Code
1 Unassigned [JBP]
2 Unassigned [JBP]
3 Destination Unreachable [RFC792]
Codes
0 Net Unreachable
1 Host Unreachable
2 Protocol Unreachable
3 Port Unreachable
4 Fragmentation Needed and Don't Fragment was Set
5 Source Route Failed
6 Destination Network Unknown
7 Destination Host Unknown
8 Source Host Isolated
9 Communication with Destination Network is
Administratively Prohibited
10 Communication with Destination Host is
Administratively Prohibited
11 Destination Network Unreachable for Type of Service
12 Destination Host Unreachable for Type of Service
13 Communication Administratively Prohibited [RFC1812]
14 Host Precedence Violation [RFC1812]
15 Precedence cutoff in effect [RFC1812]
4 Source Quench [RFC792]
Codes
0 No Code
5 Redirect [RFC792]
Codes
0 Redirect Datagram for the Network (or subnet)
1 Redirect Datagram for the Host
2 Redirect Datagram for the Type of Service and Network
3 Redirect Datagram for the Type of Service and Host
6 Alternate Host Address [JBP]
Codes
0 Alternate Address for Host
7 Unassigned [JBP]
8 Echo [RFC792]
Codes
0 No Code
9 Router Advertisement [RFC1256]
Codes
0 Normal router advertisement
16 Does not route common traffic [RFC2002]
10 Router Selection [RFC1256]
Codes
0 No Code
11 Time Exceeded [RFC792]
Codes
0 Time to Live exceeded in Transit
1 Fragment Reassembly Time Exceeded
12 Parameter Problem [RFC792]
Codes
0 Pointer indicates the error
1 Missing a Required Option [RFC1108]
2 Bad Length
13 Timestamp [RFC792]
Codes
0 No Code
14 Timestamp Reply [RFC792]
Codes
0 No Code
15 Information Request [RFC792]
Codes
0 No Code
16 Information Reply [RFC792]
Codes
0 No Code
17 Address Mask Request [RFC950]
Codes
0 No Code
18 Address Mask Reply [RFC950]
Codes
0 No Code
19 Reserved (for Security) [Solo]
20-29 Reserved (for Robustness Experiment) [ZSu]
30 Traceroute [RFC1393]
31 Datagram Conversion Error [RFC1475]
32 Mobile Host Redirect [David Johnson]
33 IPv6 Where-Are-You [Bill Simpson]
34 IPv6 I-Am-Here [Bill Simpson]
35 Mobile Registration Request [Bill Simpson]
36 Mobile Registration Reply [Bill Simpson]
39 SKIP [Markson]
40 Photuris [RFC2521]
Codes
0 = Bad SPI
1 = Authentication Failed
2 = Decompression Failed
3 = Decryption Failed
4 = Need Authentication
5 = Need Authorization
ICMP(Types/Codes)
Testing Destination Reachability & Status
(0/0) Echo-Reply
(8/0) Echo
Unreachable Destinations
(3/0) Network Unreachable
(3/1) Host Unreachable
(3/2) Protocol Unreachable
(3/3) Port Unreachable
(3/4) Fragmentaion Needed and DF set (Pkt too big)
(3/5) Source Route Failed
(3/6) Network Unknown
(3/7) Host Unknown
(3/9) DOD Net Prohibited
(3/10) DOD Host Prohibited
(3/11) Net TOS Unreachable
(3/12) Host TOS Unreachable
(3/13) Administratively Prohibited
(3/14) Host Precedence Unreachable
(3/15) Precedence Unreachable
Flow Control
(4/0) Source-Quench [RFC 1016]
Route Change Requests from Gateways
(5/0) Redirect Datagrams for the Net
(5/1) Redirect Datagrams for the Host
(5/2) Redirect Datagrams for the TOS and Net
(5/3) Redirect Datagrams for the TOS and Host
Router
(6/-) Alternate-Address
(9/0) Router-Advertisement
(10/0) Router-Solicitation
Detecting Circular or Excessively Long Routes
(11/0) Time to Live Count Exceeded
(11/1) Fragment Reassembly Time Exceeded
Reporting Incorrect Datagram Headers
(12/0) Parameter-Problem
(12/1) Option Missing
(12/2) No Room for Option
Clock Synchronization and Transit Time Estimation
(13/0) Timestamp-Request
(14/0) Timestamp-Reply
Obtaining a Network Address (RARP Alternative)
(15/0) Information-Request
(16/0) Information-Reply
Obtaining a Subnet Mask [RFC 950]
(17/0) Address Mask-Request
(18/0) Address Mask-Reply
Other
(30/0) Traceroute
(31/0) Conversion-Error
(32/0) Mobile-Redirect
Ref: [RFC 792] [RFC 896] [RFC 950] [RFC 1016]