blocking all ICMP at firewalls

[Jyri Kaljundi <jk () stallion ee>]

How should ICMP handled correctly at the firewall? The thing I want to
know is if I block all ICMP at firewalls external interface, what are the
things that will break? In some places I want to block both all ICMP to
the firewall external interface and all ICMP going through the firewall to
internal network. And since that will deny incoming echo-reply also, I
think I would deny all outgoing ICMP also. Now what will happen and is
this kind of configuration allowed?

How important are ICMP source quench, time exceeded and parameter problem?
In theory what I think will happen is there will be cases where one side
is sending too much information which the other side will not receive
(because of source quench not allowed they can not tell each other to slow
down). And there might be cases where one side is down and we do not get
host unreachable in certain time, but we could live with that, most
services still can be manually stopped. 

And will I get angry network administrators shouting at me because ICMP
should be always allowed on Internet and I am breaking things?

Jyri Kaljundi
jk () stallion ee
AS Stallion Ltd
http://www.stallion.ee/