Actually, in v 4.1, you can now log the implied rules created by the
properties screen. Makes life a lot easier.
Cheers
Simon Hornby
>From: "THELLIER, Francis (Kedros)" <[EMAIL PROTECTED]>
>To: "'[EMAIL PROTECTED]'"
><[EMAIL PROTECTED]>, D H <[EMAIL PROTECTED]>
>CC: [EMAIL PROTECTED]
>Subject: RE: [FW1] Stateful inspection of icmp
>Date: Thu, 29 Jun 2000 10:28:12 +0200
>
>
>One of the problem to accept ICMP from properties (and not in rules) is
>that
>you won't log it !
>I prefere to log all my traffic, so I've put rules
>(echo-request/echo-reply)
>for allowing ICMP
>
> > Francis THELLIER
> >
> > -----Message d'origine-----
> > De: [EMAIL PROTECTED]
> > [SMTP:[EMAIL PROTECTED]]
> > Date: mercredi 28 juin 2000 20:13
> > �: D H
> > Cc: [EMAIL PROTECTED]
> > Objet: Re: [FW1] Stateful inspection of icmp
> >
> >
> >
> >
> > ICMP doesn't seem to be stateful in 4.1SP1 either, unless I'm
> > hallucinating - I
> > too found that I had to explicitly add the echo-reply rule to get PINGs
> > through.
> > I have Accept ICMP unchecked, as I don't want it going anywhere that I
> > don't
> > explicitly define. If you just want PINGs to go to the internet, why
>not
> > set
> > the Accept ICMP property to "before last," applied outbound (or does
>that
> > also
> > not work)? I personally would strongly recommend against this, but it
> > would
> > produce the desired effect. Any other list folks had similar problems
> > with
> > stateful ICMP (or have it working right)?
> >
> > Dan Hitchcock
> > Network Engineer
> >
> >
> >
> >
> >
> > "D H" <[EMAIL PROTECTED]> on 06/28/2000 10:00:31 AM
> >
> > To: [EMAIL PROTECTED]
> > cc: (bcc: Dan Hitchcock/CSB)
> >
> > Subject: [FW1] Stateful inspection of icmp
> >
> >
> >
> >
> >
> > I am using FW-1 v4.0 sp 3, and I'm having a problem with the stateful
> > inspection of ICMP (which should work in version 4.0 according to
> > phoneboy).
> >
> > I want to allow only outbound ping (i.e. to the Internet), and as I
> > understand it, it should work if the FW is configured as follows:
> > (1) The "Accept ICMP" property is enabled and "Last" (i.e. after my
> > explicit
> > drop rule)
> > (2) I allow outbound (to the Internet) services: echo-request
> >
> > But, the replies are being dropped by the FW. As a work-arround:
> > (3) I allow inbound (from the Internet) services: echo-reply,
> > time-exceeded,
> > dest-unreach.
> >
> > Shouldn't it work without (3)?
> > If so, any ideas what it might be?
> >
> > -- DH
> >
> > ________________________________________________________________________
> > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
> >
> >
> >
> >
>==========================================================================
> > ======
> > To unsubscribe from this mailing list, please see the instructions
>at
> > http://www.checkpoint.com/services/mailing.html
> >
>==========================================================================
> > ======
> >
> >
> >
> >
> >
> >
> >
>==========================================================================
> > ======
> > To unsubscribe from this mailing list, please see the instructions
>at
> > http://www.checkpoint.com/services/mailing.html
> >
>==========================================================================
> > ======
>
>
>================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>================================================================================
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
