All,
According to my sources at Check Point, 4.1 SP1 does support the
stateful inspection of TRACEROUTE, but they are unsure as to whether
standard echo-request\echo-reply pairing is truly stateful. They should
be getting back with me in the next week or so with verification on
that. If it isn't, I've put in a request (on behalf of several large
CHKP customers) to make it so. I'll let everyone know when I hear
something back. Hope this helps (at least a little)...
Jason
[EMAIL PROTECTED] wrote:
>
> ICMP doesn't seem to be stateful in 4.1SP1 either, unless I'm hallucinating - I
> too found that I had to explicitly add the echo-reply rule to get PINGs through.
> I have Accept ICMP unchecked, as I don't want it going anywhere that I don't
> explicitly define. If you just want PINGs to go to the internet, why not set
> the Accept ICMP property to "before last," applied outbound (or does that also
> not work)? I personally would strongly recommend against this, but it would
> produce the desired effect. Any other list folks had similar problems with
> stateful ICMP (or have it working right)?
>
> Dan Hitchcock
> Network Engineer
>
> "D H" <[EMAIL PROTECTED]> on 06/28/2000 10:00:31 AM
>
> To: [EMAIL PROTECTED]
> cc: (bcc: Dan Hitchcock/CSB)
>
> Subject: [FW1] Stateful inspection of icmp
>
> I am using FW-1 v4.0 sp 3, and I'm having a problem with the stateful
> inspection of ICMP (which should work in version 4.0 according to phoneboy).
>
> I want to allow only outbound ping (i.e. to the Internet), and as I
> understand it, it should work if the FW is configured as follows:
> (1) The "Accept ICMP" property is enabled and "Last" (i.e. after my explicit
> drop rule)
> (2) I allow outbound (to the Internet) services: echo-request
>
> But, the replies are being dropped by the FW. As a work-arround:
> (3) I allow inbound (from the Internet) services: echo-reply, time-exceeded,
> dest-unreach.
>
> Shouldn't it work without (3)?
> If so, any ideas what it might be?
>
> -- DH
>
> ________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
