Firewall/NAT

I have read the arguments pro and con and wish to make my router both pingable and tracable.  I am trying to ballance the security of selectively filtering ICMP's with the performance hit on doing so.  Thus far, I have found the following WAN firewall rules does the job

allow icmp unreach * * * *
allow icmp echo * * * *
allow icmp echo reply * * * *
allow udp * * WAN address *

allows pinging the router as well as traceroutes.

Allowing udp to the router itself appeared necessary to get tracroute to detect the last hop.  Omiting it filled the firewall log with deny message for high port UDP messages and no final hop timings, the one I really cared about.

All the credible guides say that destination unrechable - fragmentation needed is necessary for MTU discovery but I don't see any way to specifically select the subtype.

So, has anyone else gone down this path before?  If so, are those four rules necessary and sufficient?  Or is it simply better to allow all ICMP's to speed up packet processing?  Lastly, is there a better way to make the box traceroutable other than allowing all incoming udp?

IPFilter automatically allows any ICMP messages related to anything in the state table, so you don't have to worry about breaking PMTUD or any other desirable ICMP messages with your rules.

traceroute on Unix-based systems (BSD, Linux, OS X) uses UDP, as you've seen, though on Windows systems it uses ICMP. So if you want Windows traceroute to work you may need to modify your rules.