-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I have found this too on Checkpoint 2000. Needs a rule to accept
icmp-echo reply to match an outgoing echo-request.
Jim
>
>
> ICMP doesn't seem to be stateful in 4.1SP1 either, unless I'm
> hallucinating - I
> too found that I had to explicitly add the echo-reply rule to
> get PINGs through.
> I have Accept ICMP unchecked, as I don't want it going
> anywhere that I don't
> explicitly define. If you just want PINGs to go to the
> internet, why not set
> the Accept ICMP property to "before last," applied outbound
> (or does that also
> not work)? I personally would strongly recommend against
> this, but it would
> produce the desired effect. Any other list folks had similar
> problems with
> stateful ICMP (or have it working right)?
>
> Dan Hitchcock
> Network Engineer
>
>
>
>
>
> "D H" <[EMAIL PROTECTED]> on 06/28/2000 10:00:31 AM
>
> To: [EMAIL PROTECTED]
> cc: (bcc: Dan Hitchcock/CSB)
>
> Subject: [FW1] Stateful inspection of icmp
>
>
>
>
>
> I am using FW-1 v4.0 sp 3, and I'm having a problem with the
> stateful inspection of ICMP (which should work in version 4.0
> according to phoneboy).
>
> I want to allow only outbound ping (i.e. to the Internet), and as I
> understand it, it should work if the FW is configured as follows:
> (1) The "Accept ICMP" property is enabled and "Last" (i.e.
> after my explicit
> drop rule)
> (2) I allow outbound (to the Internet) services: echo-request
>
> But, the replies are being dropped by the FW. As a work-arround:
> (3) I allow inbound (from the Internet) services: echo-reply,
> time-exceeded,
> dest-unreach.
>
> Shouldn't it work without (3)?
> If so, any ideas what it might be?
>
> -- DH
>
> ______________________________________________________________
> __________
> Get Your Private, Free E-mail from MSN Hotmail at
http://www.hotmail.com
======================================================================
==========
To unsubscribe from this mailing list, please see the
instructions at
http://www.checkpoint.com/services/mailing.html
======================================================================
==========
======================================================================
==========
To unsubscribe from this mailing list, please see the
instructions at
http://www.checkpoint.com/services/mailing.html
======================================================================
==========
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBOVm+CtTl/xid+Ou9EQI2OACdF6DMcIsoyu2tQBl5YHu+g+IrbrYAniDj
ZgYrkc9LK/+g5VRycDcF7kCR
=ZvB4
-----END PGP SIGNATURE-----
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
