Reasons to turn off/on unreachables messages?

linux icmp

I see on this question (How can I stop Linux from sending ICMP "Destination Unreachable" responses?) that there was a lot of discussion pointing to the fact that you shouldn't turn off ICMP unreachable messages. I am wondering why and when you should? I too want to know how to do it. I know it breaks MTU path discovery but what else?

On cisco devices you can turn this on and off, there must be a reason. In their documentation it just says that turning it off is supposed to be for increased security as in it's harder to get information about your network? This is what the cisco documentation says. I need to implement the ability to turn this on and off on a switch for my company so I am learning about it. Regardless of the why's I still have to do it, but I'd like an informed answer on why to do it or not to give to others.

When I want to turn off ICMP redirects I do this:

echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

Is there something similar for unreachables?

The user on the other thread did it like so:

iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j DROP

is this a good way, then i could turn it on again by stopping this drop?

Should I be telling people that they don't need this feature?

EDIT: Online I see this:

An attacker could gather information’s about your network when scanning it,
like unused IP’s and networks. When working with (interface-) Access-Lists,
a deny statement triggers an ICMP Type 3     Code 9/10 message
(Network/Host is Administratively Prohibited). When disabling ICMP    unreachables 
on the interface where the ACL is applied, the deny statement 
acts like a ‘drop’ and does not reply.

Solution 1:

From a very thorough and well-written answer about the same subject over at security.SE, which I highly recommend you to read:

At its core ICMP was designed as the debugging, troubleshooting, and error reporting mechanism for IP. This makes it insanely valuable so a lot of thought needs to into shutting it down. It would be a bit like tacking >/dev/null 2>&1 to the end of all your cron entries.

Source Quench / Redirect is pretty much obsolete and removed from modern networking devices. IPv6 requires ICMP to fully function.

The bottom line: Don't block anything unless you fully understand the implications. If I were to give you one advice, it would be to block icmp echo in your external firewall, and leave everything else open. But that is just my opinion.

Solution 2:

Preventing your server from sending "destination unreachable" basically makes it mute to a majority of port scans, which increases security. However, not by much. It does break path discovery and there's no real reason to block it. There are many many ways to scan a server and that ICMP response is just one of them.

Related

Sendmail: Setting envelope sender to a fixed value
Programmatically add entry to user's crontab
Enable NIS extensions (rfc2307) on Samba 4 AD after installation
Permissions Issue with Files Generated by PerfMon
Explain load averages on Solaris 10
Achieving Five Nines
Chaining custom systemd services
Network Incident Report Template
VMXNET3 performance on Linux on ESX 5.0
How are IP addresses assigned? What do the parts mean? [duplicate]
How does Windows Event forwarding work with non domain computers? (certificates)
Slow connect on ssh on Ubuntu