I had similar problems on 4.1 SP4 and someone kindly posted a suggestion
which worked for me:-
1. Add Accept ICMP as Last rule (after cleanup rule - effectively a 'dummy'
rule) - apparently needed due to 'bug' in 4.0
2. Created groups containing allowable sites to ping/trace and internal
stations allowed to ping/trace out
3. Add new rule to allow outbound Echo-Request and Traceroute to new group
4. Add new rule to allow inbound Echo-Reply, Time-Exceeded and Dest-unreach
Tim Higgins
[EMAIL PROTECTED]
Sent by: To: "D H"
<[EMAIL PROTECTED]>
[EMAIL PROTECTED] cc:
[EMAIL PROTECTED]
kpoint.com Subject: Re: [FW1]
Stateful inspection of icmp
28/06/00 18:12
ICMP doesn't seem to be stateful in 4.1SP1 either, unless I'm hallucinating
- I
too found that I had to explicitly add the echo-reply rule to get PINGs
through.
I have Accept ICMP unchecked, as I don't want it going anywhere that I
don't
explicitly define. If you just want PINGs to go to the internet, why not
set
the Accept ICMP property to "before last," applied outbound (or does that
also
not work)? I personally would strongly recommend against this, but it
would
produce the desired effect. Any other list folks had similar problems with
stateful ICMP (or have it working right)?
Dan Hitchcock
Network Engineer
"D H" <[EMAIL PROTECTED]> on 06/28/2000 10:00:31 AM
To: [EMAIL PROTECTED]
cc: (bcc: Dan Hitchcock/CSB)
Subject: [FW1] Stateful inspection of icmp
I am using FW-1 v4.0 sp 3, and I'm having a problem with the stateful
inspection of ICMP (which should work in version 4.0 according to
phoneboy).
I want to allow only outbound ping (i.e. to the Internet), and as I
understand it, it should work if the FW is configured as follows:
(1) The "Accept ICMP" property is enabled and "Last" (i.e. after my
explicit
drop rule)
(2) I allow outbound (to the Internet) services: echo-request
But, the replies are being dropped by the FW. As a work-arround:
(3) I allow inbound (from the Internet) services: echo-reply,
time-exceeded,
dest-unreach.
Shouldn't it work without (3)?
If so, any ideas what it might be?
-- DH
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
#**********************************************************************
This message is intended solely for the use of the individual
or organisation to whom it is addressed. It may contain
privileged or confidential information. If you have received
this message in error, please notify the originator immediately.
If you are not the intended recipient, you should not use,
copy, alter, or disclose the contents of this message. All
information or opinions expressed in this message and/or
any attachments are those of the author and are not
necessarily those of Hughes Network Systems Limited,
including its European subsidiaries and affiliates. Hughes
Network Systems Limited, including its European
subsidiaries and affiliates accepts no responsibility for loss
or damage arising from its use, including damage from virus.
#**********************************************************************
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
