IP filter discard action

When packets are denied by IP filter policy, IP security supports sending an ICMP or ICMPv6 destination unreachable message, which indicates that a packet is administratively prohibited. You can enable this action for the implicit Policy Agent deny filter rules using the ImplicitDiscardAction parameter on the IpFilterPolicy statement, and for individual filter rules using the DiscardAction parameter on the IpGenericFilterAction statement.

Rule: To make a system effectively invisible to attackers, choose the discard action Silent. Choose the discard action ICMP only in cases in which doing so is a useful diagnostic aid, such as for users of internal networks.
Parent topic: IP security