before last. I've checked "log implied rules" and I don't see echo reply
packets dropped in the log. I'm simply saying that echo replies are not
getting back to the pinging host B. Under the circumstances, the only
explanation I could think of was that the replies are not getting past the
firewall even though the firewall machine has static route setup for the net
with host B. BTW it's not just ping replies. http and others as well. If I
add a static route to on host A to hostB via the router, everything works
fine.
-----Original Message-----
From: Robert MacDonald [mailto:[EMAIL PROTECTED]]
Sent: Friday, August 25, 2000 10:28 AM
To: [EMAIL PROTECTED]
Subject: RE: [FW1] multiple subnets behing the gateway
What does the drop down box say to the right
of the Accept ICMP?
Are you saying this rule does or does not work?
Robert
>>> Sukhpreet Singh <[EMAIL PROTECTED]> 8/25/00 10:08:02 AM >>>
>ICMP is checked in the policy properties. The first rule in the rule base
>says
>InternalNet (group of all the internal nets) -> InternalNet any accept
>
>-----Original Message-----
>From: Robert MacDonald [mailto:[EMAIL PROTECTED]]
>Sent: Friday, August 25, 2000 9:57 AM
>To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
>Subject: Re: [FW1] multiple subnets behing the gateway
>
>
>No, the fw didn't drop the echo-reply because it
>didn't see the echo-request. It was dropped because
>it wasn't allowed. ICMP is not connection
>oriented like TCP(though others have _made_ it
>behave that way), so you need to have a rule
>that allows for the echo-reply.
>
>If your Policy->Properties->Accept ICMP is checked
>and the drop down is set to 'Before Last', then the
>fw will allow without adding a rule. There are pros
>and cons(security issues) to just checking the policy
>properties and if you haven't looked into them, take
>a little time out of your day to do so. End of digression...
>
>NetBEUI is not routable in it's native format.
>NBT(encapsulated in IP) is. Again, there are security
>concerns in this too. If you need this traffic flowing
>past your firewall, then make your rules as specific
>as you can(which you really should anyways.)
>
>HTH,
>Robert
>
>- -
>Robert P. MacDonald, Network Engineer
>e-Business Infrastructure
>G o r d o n F o o d S e r v i c e
>Voice: +1.616.261.7987 email: [EMAIL PROTECTED]
>
>>>> Sukhpreet Singh <[EMAIL PROTECTED]> 8/24/00 4:02:52 PM >>>
>>
>>Suppose host B in the diagram below pings host A. A sends it's echo-reply
>>packets to the firewall because that's the default gateway. Firewall drops
>>the echo reply packet because it does not see a corresponding echo request
>>packet. Does it work like this? If yes, I know creating a rule that allows
>>all communications between the internal nets would help things. I ask this
>>because I think a lot of netbios traffic is being dropped between these
>>internal nets. Although I suspect the tcp timeouts could be causing some
>>problems too. I'd appreciate any comments on this. Thanks.
>>
>>
>>Internet
>> |
>>Firewalled Gateway Checkpoint Firewall-1 ver 4.1 SP2
>>(192.168.2.1/24)
>> |
>>A (192.168.2.2/24) Def GW 192.168.2.1
>> |
>>(192.168.2.5/24)
>>Router
>>192.168.8.1/24)
>> |
>>B(192.168.8.2) Def GW 192.168.8.1
>
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
