IPv4 ping response

[evantkh]

The ping response is only required during registration/update of the the tunnel endpoint or do I need to allow it during the use of the tunnel after registration?

[cholzhauer]

Only for setup, but you should consider allowing it after too

[evantkh]

Only for setup, but you should consider allowing it after too

What will happen if it is not allowed?

[kriteknetworks]

Why are you against having icmp4 open?

[evantkh]

Why are you against having icmp4 open?

Because I don't want to put so many rules on my firewall because maximum number of rules are limited.

[broquea]

Don't want too many firewall rules? Drop/exclude the one that blocks ICMP ;)

Want to operate a network like a professional, rather than someone that believes the FUD of leaving ICMP reachable? rate-limit ICMP, don't block.

We're you planning on blocking ICMP6 as well? Because if so, enjoy the crappy broken PMTUD you'd be introducing.

[evantkh]

Don't want too many firewall rules? Drop/exclude the one that blocks ICMP ;)

Want to operate a network like a professional, rather than someone that believes the FUD of leaving ICMP reachable? rate-limit ICMP, don't block.

We're you planning on blocking ICMP6 as well? Because if so, enjoy the crappy broken PMTUD you'd be introducing.

There are two reasons.

Firstly, I can only configure allow rules on my upstream(AWS) stateful firewall.
Secondly, egress traffic is very expensive, so I want to drop as many packets as possible to prevent responding while allowing incoming packets dynamically using ip6tables connection tracking.

Does this setup has any problem?