Furthermore ICMP is _mandatory_ for MTU path discovery to work. So be ready for all kind of non functioning stuff if you transfer larger packets than the MTU somewhere in the middle (such as trying to squeeze a 1500 byte ethernet packet into a IPSec tunnel with a MTU around 1426). TCP/IP is built in the way that it reacts on these ICMP MTU mismatch messages when packets get dropped on the way due to too big size. TCP can adapt but if ICMP is filtered away, then TCP will not notice and a endless retransmission dance begins. The odd thing there is that it "kinda works". Sometimes its just slow and sometimes nothing works. We use IPSec in our network heavily and we have seen that happening with large corporations such as
Networksolutions.com (which is one of the oldest companies in the internet, they should know this stuff!). T1his can be a big issue. So if I ever find a consultant telling me I should filter away ICMP just because, I will kick him out of the door immediately. The only reason where this could be valid is if you still have Windows95 machines in your network due to the "ping-of-death" bug. But if you have that, then you're hopelessly lost anyway.
Let's face it. Firewalls and NAT have been built to break the internet in the way it has been intended with all kinds of strange side effects. Thinking they are the only defence to protect you is so wrong. Social engineering brings hackers behind firewalls and they attack from with inside. A well secured localhost is way more important. I'm using machines on public IP's without firewall or NAT in between over 20 years and the issues I've seen have all been controllable (but I'm not an interesting target to hack like a Bank). On the other hand NAT & Firewalls (and their admins) have turned out to be a way bigger problem.