[kstrauser]

Once upon a time, "reasonable networks" blocked ICMP, too.

They were wrong then, of course, and they're still wrong now.

[ocdtrekkie]

Once upon a time, like today? ICMP is most definitely only allowed situationally through firewalls today.

[tredre3]

I'd say that ICMP is only situationally blocked by firewalls, not the other way around.

Because I can ping almost any public server on the internet and they will reply. I can ping your website just fine and it replies to me!

[ocdtrekkie]

You'd say incorrectly, firewalls have an implicit deny rule, so any case ICMP traverses a firewall, someone wanted it to. Obviously large hosting providers tend to find value in ICMP being enabled.

But for example, our firewall at work responds to ICMP but all of the endpoints which aren't meant for public use do not. That is less because ICMP is a problem and more because everything works fine without it and least privilege is good design.

ICMP is also more than just ping, and some parts of ICMP are considered a vulnerability if exposed to the public internet by some scanning services.

[AtNightWeCode]

The normal behavior is that firewalls and proxys respond to the ICMP requests instead of forwarding them though...

[kstrauser]

That kind of cargo culted tradition is how you end up with weird packet loss and VPNs that flat-out refuse to work.

I could be convinced to block inbound pings. Anything past that and I'd want solid evidence that it wouldn't break anything, with the expectation that it would.

[tolciho]

address-mask-request and redirect and timestamp-request for IPv4 might be problematic to allow inbound from who knows where. echo-request might well be rate limited so remote hosts can ping certain servers (but not random client host IPs), but not too many pings per second.