Re: [FW1] Stateful inspection of icmp

Wed, 28 Jun 2000 11:18:25 -0700 




ICMP doesn't seem to be stateful in 4.1SP1 either, unless I'm hallucinating - I
too found that I had to explicitly add the echo-reply rule to get PINGs through.
I have Accept ICMP unchecked, as I don't want it going anywhere that I don't
explicitly define.  If you just want PINGs to go to the internet, why not set
the Accept ICMP property to "before last," applied outbound (or does that also
not work)?  I personally would strongly recommend against this, but it would
produce the desired effect.  Any other list folks had similar problems with
stateful ICMP (or have it working right)?

Dan Hitchcock
Network Engineer





"D H" <[EMAIL PROTECTED]> on 06/28/2000 10:00:31 AM

To:   [EMAIL PROTECTED]
cc:    (bcc: Dan Hitchcock/CSB)

Subject:  [FW1] Stateful inspection of icmp





I am using FW-1 v4.0 sp 3, and I'm having a problem with the stateful
inspection of ICMP (which should work in version 4.0 according to phoneboy).

I want to allow only outbound ping (i.e. to the Internet), and as I
understand it, it should work if the FW is configured as follows:
(1) The "Accept ICMP" property is enabled and "Last" (i.e. after my explicit
drop rule)
(2) I allow outbound (to the Internet) services: echo-request

But, the replies are being dropped by the FW. As a work-arround:
(3) I allow inbound (from the Internet) services: echo-reply, time-exceeded,
dest-unreach.

Shouldn't it work without (3)?
If so, any ideas what it might be?

-- DH

________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================






================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to