You have to be very careful with ip unreachables - the same issue applies to blanket blocking of ICMP because it’s “best practice”.
The issue is CERTAIN types of “unreachables” do leak information, but other ICMP “types” (thinking Type 4 “packet to big”) need to be allowed to avoid running into nasty MTU issues.
I’m still fuzzy on the details of how all the commands interact, but the way we got around this was outbound (and inbound) extended ACLs areas overly filtering “good” icmp from bad.
Works really well, but one step away from Hayes AT codes in terms of black art voodoo.
Any chance you’d write a post on pulling all this together for us “hands on” guys?