As far as I understand the "stateful ICMP" it prevents for example an echo-reply coming through your Firewall when there hasn't been an echo-request to the same host. Nevertheless you have to allow the replies coming through. Correct me if I'm wrong. regards, Axel Hoffmann System Engineer ---------------------------------------------------------------------- Eckmann Datentechnik Netzwerkservice Telindus GmbH Sylvesterallee 2 D-22525 Hamburg ---------------------------------------------------------------------- Email: [EMAIL PROTECTED] Tel: (+49) 40 54706 195 Fax: (+49) 40 54706 111 ---------------------------------------------------------------------- Please visit our websites http://www.eckmann.de http://www.telindus.de ---------------------------------------------------------------------- -----Urspr�ngliche Nachricht----- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Im Auftrag von THELLIER, Francis (Kedros) Gesendet: Donnerstag, 29. Juni 2000 10:31 An: 'D H'; [EMAIL PROTECTED] Betreff: RE: [FW1] Stateful inspection of icmp Yes, it should work with (2) and (3), but why enable ICMP from properties if you use rules ? > Francis THELLIER > > -----Message d'origine----- > De: D H [SMTP:[EMAIL PROTECTED]] > Date: mercredi 28 juin 2000 19:01 > �: [EMAIL PROTECTED] > Objet: [FW1] Stateful inspection of icmp > > > I am using FW-1 v4.0 sp 3, and I'm having a problem with the stateful > inspection of ICMP (which should work in version 4.0 according to > phoneboy). > > I want to allow only outbound ping (i.e. to the Internet), and as I > understand it, it should work if the FW is configured as follows: > (1) The "Accept ICMP" property is enabled and "Last" (i.e. after my > explicit > drop rule) > (2) I allow outbound (to the Internet) services: echo-request > > But, the replies are being dropped by the FW. As a work-arround: > (3) I allow inbound (from the Internet) services: echo-reply, > time-exceeded, > dest-unreach. > > Shouldn't it work without (3)? > If so, any ideas what it might be? > > -- DH > > ________________________________________________________________________ > Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com > > > > ========================================================================== > ====== > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ========================================================================== > ====== ============================================================================ ==== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ============================================================================ ==== ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
