On Wed, 10 Jan 2001, Carl E. Mankinen wrote:
> I seem to be reading quite a bit that even 4.X does not use stateful inspection
> for ICMP requests. Is this in fact the case, or has CheckPoint corrected this
> in the latest releases?
>
> For them to say that ICMP packets are harmless and thus do not require
> stateful inspection is beyond belief (having my doubts they actually said this...)
> ICMP is a perfect method for tunneling control connections for trojans, or
> for sending obscured hashed data containing information you wouldn't like exposed.
To the best of my knowledge, no. I have not been able to identify any ICMP state
table in the kernel memory. I have identified 4 tables within memory that
potenitally track ICMP. However, after testing these 4 tables, they do not
appear to do any statefull tracking of ICMP. I would greatly appreciate anyone
who could provide more information.
The four tables in question:
firewall #fw tab -s | grep -i icmp
localhost icmp_connections 50 0
localhost icmp_requests 51 4
localhost icmp_replies 52 4
localhost icmp_errors 53 5
thanks!
lance
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
