>ICMP, and who cannot explain why should be FIRED!  Most of us don't
>adminster firewalls for three letter goverment agencys.  (I don't, but
>marketing tells me that ICMP filtering is a requirement for such people.
>They also understand all of the discussion above)

I have yet to see evidence that either of those statements are true. :-/

Seriously, I've talked to a lot of firewall administrators, at
commercial sites, educational sites, three letter government agencies
(even ones that don't exist), and there has been one _unvarying_
theme.  They universally do not understand the protocols they are
filtering.  If they _did_ understand these protocols, then they
wouldn't be firewall administrators.

The firewalls I've encountered have all been "set it and leave it".
I will fully admit that I have no statistics to back up my claim, just
ancedotal evidence.  I'm convinced of one thing, however: there are
plenty of dumb firewall administrators.  I'm sure there are good ones
out there ... I just haven't met them yet.

--Ken