Reasons to turn off/on unreachables messages?
I see on this question (How can I stop Linux from sending ICMP "Destination Unreachable" responses?) that there was a lot of discussion pointing to the fact that you shouldn't turn off ICMP unreachable messages. I am wondering why and when you should? I too want to know how to do it. I know it breaks MTU path discovery but what else?
On cisco devices you can turn this on and off, there must be a reason. In their documentation it just says that turning it off is supposed to be for increased security as in it's harder to get information about your network? This is what the cisco documentation says. I need to implement the ability to turn this on and off on a switch for my company so I am learning about it. Regardless of the why's I still have to do it, but I'd like an informed answer on why to do it or not to give to others.
When I want to turn off ICMP redirects I do this:
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
Is there something similar for unreachables?
The user on the other thread did it like so:
iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j DROP
is this a good way, then i could turn it on again by stopping this drop?
Should I be telling people that they don't need this feature?
EDIT: Online I see this:
An attacker could gather information’s about your network when scanning it,
like unused IP’s and networks. When working with (interface-) Access-Lists,
a deny statement triggers an ICMP Type 3 Code 9/10 message
(Network/Host is Administratively Prohibited). When disabling ICMP unreachables
on the interface where the ACL is applied, the deny statement
acts like a ‘drop’ and does not reply.
Solution 1:
From a very thorough and well-written answer about the same subject over at security.SE, which I highly recommend you to read:
At its core ICMP was designed as the debugging, troubleshooting, and error reporting mechanism for IP. This makes it insanely valuable so a lot of thought needs to into shutting it down. It would be a bit like tacking >/dev/null 2>&1 to the end of all your cron entries.
Source Quench / Redirect is pretty much obsolete and removed from modern networking devices. IPv6 requires ICMP to fully function.
The bottom line: Don't block anything unless you fully understand the implications. If I were to give you one advice, it would be to block icmp echo in your external firewall, and leave everything else open. But that is just my opinion.
Solution 2:
Preventing your server from sending "destination unreachable" basically makes it mute to a majority of port scans, which increases security. However, not by much. It does break path discovery and there's no real reason to block it. There are many many ways to scan a server and that ICMP response is just one of them.