Hi
I'm afraid Checkpoint doesn't know what they're talking about: We run 4.0 SP5 on a
Nokia 440 and I still have to have the two rules you describe in the last part of your
posting. Using just the first rule drops the incoming echo-replies.
Unless I'm missing something there's still no stateful inspection going on for ICMP...
Cheers
Ralf
>>> Jason Witty <[EMAIL PROTECTED]> 23.06.2000 16.32 Uhr >>>
Tim,
I *just* spoke with a few of the Check Point guys about this last
night. I'm told that they finally fixed a problem with stateful ICMP
inspection with 4.0 SP3. So, if you're running 4.0 SP3 or greater you
should be able to do the following:
-----------------------------------------------------------
Source Dest Protocol Action
-----------------------------------------------------------
Internal-Net ANY echo-request accept
?tracert
-----------------------------------------------------------
That should allow your internal network to "ping" and trace to the
Internet, and do it statefully (so the it expects to see the ICMP
echo-replies and ICMP time-exceeded messages for trace). I have not
verified that this actually works as most of my remote firewall modules
are still at 4.0 SP2, but the CheckPoint guys say it should. If you're
not running SP3 or higher, then you could always do:
-----------------------------------------------------------
Source Dest Protocol Action
-----------------------------------------------------------
Internal-Net ANY echo-request accept
-----------------------------------------------------------
ANY Internal-Net echo-reply accept
-----------------------------------------------------------
That would, of course, allow people to send unsolicited ICMP
echo-replies into your network, however (has the potential to set you up
for a nice DDoS, but it works for "outbound ping").
Mail me directly if you have further questions about this particular
thing.
Hope this helps!
Jason
http://www.wittys.com
http://www.securitystats.com
[EMAIL PROTECTED] wrote:
>
> Hi
>
> Is there a way to allow ICMP without using the Properties "Accept ICMP" -
> which allows everyone to use it ?
>
> I tried a couple of test rules for the 3 icmp protocols and one for ANY
> service - nothing seemed to work.
>
> TIA
>
> Tim Higgins
>
> #**********************************************************************
> This message is intended solely for the use of the individual
> or organisation to whom it is addressed. It may contain
> privileged or confidential information. If you have received
> this message in error, please notify the originator immediately.
> If you are not the intended recipient, you should not use,
> copy, alter, or disclose the contents of this message. All
> information or opinions expressed in this message and/or
> any attachments are those of the author and are not
> necessarily those of Hughes Network Systems Limited,
> including its European subsidiaries and affiliates. Hughes
> Network Systems Limited, including its European
> subsidiaries and affiliates accepts no responsibility for loss
> or damage arising from its use, including damage from virus.
> #**********************************************************************
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
