Re: [FW-1] disallow inbound IMCP

Thu, 15 Jan 2004 09:46:27 -0800 

Hi,

>Using Checkpoint 4.1, what's the best [aka least painful] way to block ICMP
>traffic?  I'd like to disallow inbound IMCP yet allow ICMP to work within
>our DMZ.  I've tried disabling ICMP via the properties panel, it's a little
>too effective.  Can I make exceptions for DMZ traffic?

   You should 1st clarify a bit what you want, allowing or dis-allowing
 is not clear enough ... Do you want to allow/disallow people from pinging
 the systems in the DMZ and thus stop the DMZ system to answer .. Or is it
 the other way round ??

    If it is the 1st case ... This should be disallowed by default, unless
 you have added a rule allowing the ICMP requests and replies, service in 4.1
 were known as echo-request and echo-reply. Most of the time the best practice
 is to disable the implied rule, then add more specific rules in the Security
 Policy.

Met vriendelijke groeten - Bien � vous - Kind regards
Guy ROELANDTS
EMEA HPS Internet Expertise Centre - CCSE-NG
Hewlett-Packard Belgium B.V.B.A./S.P.R.L.
E-mail : [EMAIL PROTECTED]
Tel: +32(02)729.85.61
Fax: +32(02)729.77.65
==========================================================
This message may contain confidential and/or proprietary information,
and is intended only for the person/entity to whom it was originally
addressed. The content of this message may contain private views and
opinions which do not constitute a formal disclosure or commitment
unless specifically stated. Should you receive this message by mistake
please inform the sender immediately.
==========================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================

Reply via email to