Anatomy of a Hack
Microsoft put out a good article this year about how and intruder might get into your network. I stumpled upon this gem whilst looking for something else, so I haven't quite read it yet, but you can right here.
One of the things he mentions though, might be an oversimplification:
ICMP traffic should be sent to /dev/null at the border. Even a half decent firewall should block ICMP, but it is surprising how often administrators forget to ensure that it is actually disabled. No response should even be sent.
ICMP messages are commonly blocked at firewalls because of a perception that they are a source of security vulnerabilities. This often creates "black holes" for Path MTU Discovery , causing legitimate application traffic to be delayed or completely blocked when talking to systems connected via links with small MTUs.
As for the firewalls I've setup, I leave ICMP alone. There are too many instances where I've found it thankfull when I've been able to ping the firewall's interfaces from all networks attached.