Re: [FW-1] ICMP and MTU path discovery

Mon, 21 Jan 2002 14:37:24 -0800 

Create an ICMP Service as follows:

     Name:     fragment-needed (or whatever you want to call it)
     Comment:  (whatever you want)
     Match:    ( icmp, icmp_type=3, icmp_code=4 )

Add in a rule that allows just this service and you should be right.

Regards,

Ken...





                    Lupinum Lupus <[EMAIL PROTECTED]>
                    Sent by: Mailing list for discussion        To:     
[EMAIL PROTECTED]
                    of Firewall-1                               cc:
                    <[EMAIL PROTECTED]        Subject:     [FW-1] 
ICMP and MTU path discovery
                    point.com>


                    21/01/2002 20:35
                    Please respond to Mailing list for
                    discussion of Firewall-1






Hello there,

I have a question about what ICMP types to let through the FW. To let hosts
from outside find out the MTU for a connection through our FW we have to
let some ICMP services pass through. especialy ICMP type 3, code 4
(Fragmentation needed but DON'T FRAGMENT bit set). This one is needed to
let a host know it has to make his MTU size smaller for this connection.

In FW-1 4.1 the "ICMP-DEST-UNREACHABLE" service is defined. Am I correct in
assuming that this includes every type 3 icmp packet? including:
3               Destination unreachable.
3       0       Net unreachable.
3       1       Host unreachable.
3       2       Protocol unreachable.
3       3       Port unreachable.
3       4       Fragmentation needed and DF set.
3       5       Source route failed.

If this is the case then:
can I define a service for ICMP type3, code4 separatly?

Is there any harm in letting every code of type 3 through?

Thanks in advance,

Lupinum, Netherlands

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================

Reply via email to