Re: [FW1] multiple subnets behing the gateway

Fri, 25 Aug 2000 06:59:06 -0700 


No, the fw didn't drop the echo-reply because it
didn't see the echo-request. It was dropped because
it wasn't allowed. ICMP is not connection
oriented like TCP(though others have _made_ it
behave that way), so you need to have a rule
that allows for the echo-reply.

If your Policy->Properties->Accept ICMP is checked
and the drop down is set to 'Before Last', then the
fw will allow without adding a rule. There are pros
and cons(security issues) to just checking the policy
properties and if you haven't looked into them, take
a little time out of your day to do so. End of digression...

NetBEUI is not routable in it's native format.
NBT(encapsulated in IP) is. Again, there are security
concerns in this too. If you need this traffic flowing
past your firewall, then make your rules as specific
as you can(which you really should anyways.)

HTH,
Robert

- -
Robert P. MacDonald, Network Engineer
e-Business Infrastructure
G o r d o n   F o o d    S e r v i c e
Voice: +1.616.261.7987 email: [EMAIL PROTECTED]

>>> Sukhpreet Singh <[EMAIL PROTECTED]> 8/24/00 4:02:52 PM >>>
>
>Suppose host B in the diagram below pings host A. A sends it's echo-reply
>packets to the firewall because that's the default gateway. Firewall drops
>the echo reply packet because it does not see a corresponding echo request
>packet. Does it work like this? If yes, I know creating a rule that allows
>all communications between the internal nets would help things. I ask this
>because I think a lot of netbios traffic is being dropped between these
>internal nets. Although I suspect the tcp timeouts could be causing some
>problems too. I'd appreciate any comments on this. Thanks.
>
>
>Internet
>   |
>Firewalled Gateway Checkpoint Firewall-1 ver 4.1 SP2
>(192.168.2.1/24)
>   |
>A (192.168.2.2/24) Def GW 192.168.2.1
>   |
>(192.168.2.5/24)
>Router
>192.168.8.1/24)
>   |
>B(192.168.8.2) Def GW 192.168.8.1




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Reply via email to