I am using FW-1 v4.0 sp 3, and I'm having a problem with the stateful
inspection of ICMP (which should work in version 4.0 according to phoneboy).
I want to allow only outbound ping (i.e. to the Internet), and as I
understand it, it should work if the FW is configured as follows:
(1) The "Accept ICMP" property is enabled and "Last" (i.e. after my explicit
drop rule)
(2) I allow outbound (to the Internet) services: echo-request
But, the replies are being dropped by the FW. As a work-arround:
(3) I allow inbound (from the Internet) services: echo-reply, time-exceeded,
dest-unreach.
Shouldn't it work without (3)?
If so, any ideas what it might be?
-- DH
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
