Sophos V18.5MR5: What kind of ICMP protocol are enabled in the service Ping/Ping6 in Device Access Tab?

Question

Hi, i'm working on getting the correct ICMP firewall rules on my Sophos Firewall. 
 For doing this i've created a Local Service ACL Execption rule using the service "Ping/Ping6" for my WAN zone and allowing only some common route we use, excluding the rest of the world. 
 it obviusly enable the Echo Request (Type8Code0) and echo Reply (Type0Code0) protocols, becouse i can now ping my WANs interfaces, but it enable also the Type3Code4 Fragmentation Needed? If not, how could i implement it? i see that i cannot add new type of services. 
 
 thanks a lot

Vivek Jagad · Accepted Answer

Yes all all types and sub codes are allowed

Vivek Jagad · Answer

Hello Execcr ,

Thank you for reaching out to the community, with ACL you can only add/del following services mentioned below:

HTTPS
SSH
Web proxy
DNS (For important details, see DNS service.)
Ping/Ping6
SSL VPN
User portal
Dynamic routing

And can Select an Action (Accept or Drop).

By allowing PING/PING6 it allows the ICMP protocol and it's code fields and it does not give that granular control over the code fields like type0 which is Echo reply, type 8 which echo request or type 3 which is destination unreachable !

Sophos V18.5MR5: What kind of ICMP protocol are enabled in the service Ping/Ping6 in Device Access Tab?

Top Replies