> 3) It would be nice if Firewall-1 could pass ICMP traffic without > decrementing the TTL, Regarding your first post, about rewriting inspect for ICMP: "Desinformation" - if you just "correct" the TTL for ICMP? It's easy to try tcp with the same TTL (fails) and TTL+1 (works).
> Using the spare router idea, you don't even have to mess with TTL > mechanisms and you get the benefit of some disinformation (which is > always good.) It's better to close external access to all routers, so they'll look like a firewall. Or let your firewall look like a router. =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
