Re: [FW1] What is icmp-proto???

Fri, 30 Jun 2000 09:01:10 -0700 


Dear hermitl,

the ICMP type 3 code 4 means destination unreachable - fragmentation needed. 
It is covered by the ICMP service named "ICMP dest-unreach" in FW-1's services 
table, and is defined by "define ICMP_UNREACH 0x3" in $FWDIR/lib/tcpip.def. 
"icmp-proto" is definitely more than you want to let go through...

Hans


At 10:08 26.06.00 -0700, hermit1 wrote:

>I found a problem caused by an external VPN (Cisco) that relates to this service.  An 
>NT server behind the firewall was setting Don't Fragment on packets, and when the 
>Cisco (just outside my firewall) encrypted them the new packet size was too large, so 
>it returned icmp type-3 code-4, which the firewall dropped.  Drove me crazy since 
>there were no drops between the two endpoints so I wasn't seeing any problems.  Once 
>I found the problem, I tried various icmp services until I found one that let the 
>traffic through, and the successful one was icmp proto.  I would also like to know 
>what this one really means so I can be sure it is letting only the necessary stuff 
>through.
>
>hermit1
>
>At 11:21 PM 6/22/00 +0000, D H wrote:
>
>>Can anyone give me a hind about the predefined service icmp-proto?
>>The match section has 1, and I'm not sure what that means (the match section for 
>other predefined icmp services seem to be match the "type" field). Does 1=TRUE so 
>that any icmp packets are a match?
>>
>>In the end, I will probably go with PhoneBoy's suggestion to allow echo-request, 
>traceroute outbound (to the Internet), and echo-reply, time-exceeded, dest-unreach 
>inbound (from the Internet), but I just want to understand the options...
>>
>>-- DH
>>________________________________
>
>
>
>================================================================================
>     To unsubscribe from this mailing list, please see the instructions at
>               http://www.checkpoint.com/services/mailing.html
>================================================================================



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to