Searching around I haven't been able to determine the best practice for ICMP on a firewall.
For example on a Cisco ASA would it be safe and recommended to allow ICMP from any if ICMP inspection is enabled. This would then allow for things like type 3 unreachables to make it back to the clients.
No, ICMP should not be blocked. It's vital signalling protocol. Internet does not function without it.
PMTUD is broken if you drop ICMP.
IPv6 does not even begin to work without ICMP, as L3 to L2 address resolution (ARP in IPV4) is riding on top of ICMP in IPv6.
Also troubleshooting will take longer if ICMP echos are dropped. Alas often FW people train of thought appears to be 'when in doubt, drop'.
You use FW because your inside network has services not requiring auth or unmanaged hosts running vulnerable software. ICMP really is not a practical attack vector.
