mh. icmp messages are vital to most traffic on the network and they cannot really be used for hacking. of course, icmp floods (i.e. ping of death etc.) are based on them, but your system should be immune. anyway, destination-unreachable for instance is what you get back when you point netscape to http://i.dont.exist.com. it's a very low-level protocol, called the internet (protocol) control message protocol, so it is used at a level far below tcp/udp to handle control messages.
i don't know where you firewall is setup. i assume you are using ipchains to configure it.
so check /etc/rc.d/init.d/ipchains, /etc/ipchains*, and /etc/sysconfig/ipchains for lines similar to the ones below. let me know when you find a file that lists rules with or without the 'ipchains' in the beginning of the line.
martin
Actually ICMP is a hackers best friend. You can discover what OS the remote end is runing, how a firewall is setup, all sorts of cool stuff. You can block 100% of icmp traffic, the only thing it "breaks" is path MTU (max transmit unit), some clients on crappy links will not be able to connect. Blocking the various things like dest unreach means clients will have to timeout instead of getting a "port unreachable" packet, this is basically a non issue in most cases. Personally I advocate blocking ALL icmp when possible, sure it breaks path mtu for some people, but in most cases they don't matter to to much =) -Kurt