The implication is that all icmp type 3 packets are included in the ICMP
dest-unreach service. I would like finer control, but I suppose to do that
I would have to define the service myself and I want to avoid doing
that. Now I don't see any of the traffic that caused the problem to begin
with so I can't test it. I think they fixed their NT servers so they no
longer set the Don't Fragment bit, which means I don't need this service
any longer (until they or someone else repeats the bad configuration).
So what does icmp-proto actually cover? Anyone know?
hermit1
At 05:55 PM 6/30/00 +0200, Hans Schaechl wrote:
>Dear hermit1,
>
>the ICMP type 3 code 4 means destination unreachable - fragmentation needed.
>It is covered by the ICMP service named "ICMP dest-unreach" in FW-1's
>services
>table, and is defined by "define ICMP_UNREACH 0x3" in $FWDIR/lib/tcpip.def.
>"icmp-proto" is definitely more than you want to let go through...
>
>Hans
>
>
>At 10:08 26.06.00 -0700, hermit1 wrote:
>
> >I found a problem caused by an external VPN (Cisco) that relates to this
> service. An NT server behind the firewall was setting Don't Fragment on
> packets, and when the Cisco (just outside my firewall) encrypted them the
> new packet size was too large, so it returned icmp type-3 code-4, which
> the firewall dropped. Drove me crazy since there were no drops between
> the two endpoints so I wasn't seeing any problems. Once I found the
> problem, I tried various icmp services until I found one that let the
> traffic through, and the successful one was icmp proto. I would also
> like to know what this one really means so I can be sure it is letting
> only the necessary stuff through.
> >
> >hermit1
> >
> >At 11:21 PM 6/22/00 +0000, D H wrote:
> >
> >>Can anyone give me a hind about the predefined service icmp-proto?
> >>The match section has 1, and I'm not sure what that means (the match
> section for other predefined icmp services seem to be match the "type"
> field). Does 1=TRUE so that any icmp packets are a match?
> >>
> >>In the end, I will probably go with PhoneBoy's suggestion to allow
> echo-request, traceroute outbound (to the Internet), and echo-reply,
> time-exceeded, dest-unreach inbound (from the Internet), but I just want
> to understand the options...
> >>
> >>-- DH
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
