Stala, if match for any for all of the ICMP pre-defined services is unchecked in the respective services advanced tabs, and your global stateful inspection is unchecked as well, it is strange that the rule with 'any' services is still allowing traffic through. It is possible that you have some user defined ICMP services (just to check in case it is defined?) which have 'match for any' selected.
If everything is bewildering as you seem to have found, I would recommend going through $FWDIR/conf/objects_5_0.C file that has a property for each service as ':include_in_any' with 'true/false' flags. You will generally find many simple services such as HTTP will say ':include_in_any (true)' whereas SIP will say ':include_in_any (false)' and there are large number of complex services that are set to false by default. You may like to check the file for flags set on ICMP services and you can perhaps test in case there is some other service that is causing the ICMP to go through because of it being set to 'true'- may be a bug? hth, Rajeev -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Stala Sent: Monday, March 07, 2005 6:05 PM To: [email protected] Subject: Re: [FW-1] ICMP going through the any service in smartdashboard set your view to objects list. objects tree select services and then ICMP, it list all ICMP services as No for match on any. I am under the impression that it is not supposed to match for any service. ----- Original Message ----- From: "Hill, Lindsay, VF-NZ" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Monday, March 07, 2005 3:04 PM Subject: Re: [FW-1] ICMP going through the any service Global properties just affects the implied rules - if you have it turned on, ICMP is allowed through via an implied rule. Turn on implied rules to see it. Effectively it's just another rule - it doesn't impact any rules that you might add yourself. Icmp requests match for any, so of course it's going to be allowed through. - LH -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[EMAIL PROTECTED] On Behalf Of Tom Stala Sent: Tuesday, 8 March 2005 7:32 a.m. To: [email protected] Subject: [FW-1] ICMP going through the any service I have a couple of firewalls that allow a icmp request through under the any service. like my-net to this ip any-service accpet I am getting ICMP through this rule. Under global properties I have ICMP un-checked. I am running R55 hfa-8. hsa anyone ran accross this before? ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ---------------------------------------------------------------------------- ------------------- Have you seen our website?.... http://www.vodafone.co.nz Manage Your Account, check your Vodafone Mail and send web2TXT online: http://www.vodafone.co.nz/myvodafone CAUTION: This correspondence is confidential and intended for the named recipient(s) only. If you are not the named recipient and receive this correspondence in error, you must not copy, distribute or take any action in reliance on it and you should delete it from your system and notify the sender immediately. Thank you. Unless otherwise stated, any views or opinions expressed are solely those of the author and do not represent those of Vodafone New Zealand Limited. Vodafone New Zealand Limited 21 Pitt Street, Private Bag 92161, Auckland, 1020, New Zealand Telephone + 64 9 357 5100 Facsimile + 64 9 377 0962 ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] ================================================= ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [EMAIL PROTECTED] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [EMAIL PROTECTED] =================================================
