{"description": "In <tt>/etc/sysconfig/iptables</tt>, the accepted ICMP messages\ntypes can be restricted. To accept only ICMP echo reply, destination\nunreachable, and time exceeded messages, remove the line:<br />\n<pre>-A INPUT -p icmp --icmp-type any -j ACCEPT</pre>\nand insert the lines:\n<pre>-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT\n-A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT\n-A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT</pre>\nTo allow the system to respond to pings, also insert the following line:\n<pre>-A INPUT -p icmp --icmp-type echo-request -j ACCEPT</pre>\nPing responses can also be limited to certain networks or hosts by using the -s\noption in the previous rule.  Because IPv6 depends so heavily on ICMPv6, it is\npreferable to deny the ICMPv6 packets you know you don't need (e.g. ping\nrequests) in <tt>/etc/sysconfig/ip6tables</tt>, while letting everything else\nthrough:\n<pre>-A INPUT -p icmpv6 --icmpv6-type echo-request -j DROP</pre>\nIf you are going to statically configure the system's address, it should\nignore Router Advertisements which could add another IPv6 address to the\ninterface or alter important network settings:\n<pre>-A INPUT -p icmpv6 --icmpv6-type router-advertisement -j DROP</pre>\nRestricting ICMPv6 message types in <tt>/etc/sysconfig/ip6tables</tt> is not\nrecommended because the operation of IPv6 depends heavily on ICMPv6. Thus, great\ncare must be taken if any other ICMPv6 types are blocked.", "warnings": [], "requires": [], "conflicts": [], "values": {}, "groups": {}, "rules": {}, "platform": "", "platforms": [], "inherited_platforms": ["package[iptables]"], "cpe_platform_names": [], "title": "Restrict ICMP Message Types", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/network/network-iptables/iptables_ruleset_modifications/iptables_icmp_disabled/group.yml"}