I found a problem caused by an external VPN (Cisco) that relates to this
service. An NT server behind the firewall was setting Don't Fragment on
packets, and when the Cisco (just outside my firewall) encrypted them the
new packet size was too large, so it returned icmp type-3 code-4, which the
firewall dropped. Drove me crazy since there were no drops between the two
endpoints so I wasn't seeing any problems. Once I found the problem, I
tried various icmp services until I found one that let the traffic through,
and the successful one was icmp proto. I would also like to know what this
one really means so I can be sure it is letting only the necessary stuff
through.
hermit1
At 11:21 PM 6/22/00 +0000, D H wrote:
>Can anyone give me a hind about the predefined service icmp-proto?
>The match section has 1, and I'm not sure what that means (the match
>section for other predefined icmp services seem to be match the "type"
>field). Does 1=TRUE so that any icmp packets are a match?
>
>In the end, I will probably go with PhoneBoy's suggestion to allow
>echo-request, traceroute outbound (to the Internet), and echo-reply,
>time-exceeded, dest-unreach inbound (from the Internet), but I just want
>to understand the options...
>
>-- DH
>________________________________
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
