copied from Robin Walkers cable modem page.
Stealth-mode firewalls considered harmful
Some firewalls have a hiding mechanism they call stealth. For instance, the High Security setting in ZoneAlarm is an example of stealth mode. In stealth mode, the firewall causes the PC just to ignore incoming connection attempts, rather than rejecting them, as would be normal for incoming connection attempts to closed ports. The result is that the PC appears to be switched off and absent from the network.
This hyper-paranoid approach to security causes some difficulties. For a start, Internet standard RFC 1122 states categorically about ICMP Echoes (ping):
3.2.2.6 Echo Request/Reply: RFC-792
Every host MUST implement an ICMP Echo server function that receives Echo Requests and sends corresponding Echo Replies.
Note the MUST rather than SHOULD. This means that any internet user, or ISP server, has a right to expect that all live PCs connected to the internet will respond to ICMP ping requests with an ICMP reply. If a firewall user chooses to stealth ICMP requests so that no response is sent, they have only themselves to blame if they start experiencing problems, because they are in breach of RFC 1122.
The problems that might arise if you kill ICMP responses with stealth are:
Difficulties with DHCP lease acquisition or renewal in cases where the DHCP server checks on the availability of IP addresses, or your presence on the network, with ICMP ping requests [this doesn't actually happen on the original NTL network, but ICMP requests have been seen coming from the DHCP servers of digital TV set-top boxes. No problems seen with blueyonder];
Slowness of web connection setup in cases where the remote web server uses ICMP to determine the MTU of the response path;
Frustration at ISP help-desks (and with informal helpers) if your PC does not respond to pings and traceroutes, as it is difficult to distinguish this situation from a broken connection.
So you are strongly advised not to apply stealth techniques to the ICMP protocol. In the freeware version of ZoneAlarm, this means you should run it in Medium Security, not High Security, for the Internet Zone. In ZoneAlarm Pro, you can configure ICMP behaviour to permit ICMP Echo packets in and out even in High Security, using the Customize button of the Security Settings panel.
Windows XP has a built-in firewall that by default blocks ICMP Echo. You should uncheck this feature.
Similar problems arise with certain NAT routers, such as the Linksys. By default, the Linksys does not reply to incoming ICMP requests, equivalent to a stealth firewall. To configure the Linksys to reply properly to all incoming requests, send your web browser to the Linksys configuration page at
http://192.168.1.1/ and then:
click on the Advanced tab.
On the Filters panel, find the option Block WAN Request, and check Disable.
A commonly heard objection to allowing ICMP Echo Replies is that it gives away information to hackers that there is a live connection on this IP address. Such objections are not well-founded, and can be safely ignored. There is no evidence in practice that any hacker has been aided by the presence of an ICMP Echo Reply. Hackers do not typically write code that tests an address with ICMP Echo before launching a hostile probe: they always send the hostile probe directly: either it works or it doesn't, and information from ICMP adds nothing to the analysis.
Hope this explains it.