Hi Lance,
You are right about ICMP ..... but only one of the Developers in Isreal
could "enlighten us" further.
I think the only effective use of those tables is CPMAD.....
Yes it would be nice to write some inspect script to tie the tables together
and include a timeout........ but that is not my strong point, i.e. I'm
going to leave that upto someone else, who doesn't mind voiding their
support contract.
Jon
Date: Wed, 10 Jan 2001 20:51:43 -0600 (CST)
From: Lance Spitzner <[EMAIL PROTECTED]>
Subject: Re: [FW1] ICMP Stateful or NOT ?
On Wed, 10 Jan 2001, Carl E. Mankinen wrote:
> I seem to be reading quite a bit that even 4.X does not use stateful
inspection
> for ICMP requests. Is this in fact the case, or has CheckPoint corrected
this
> in the latest releases?
>
> For them to say that ICMP packets are harmless and thus do not require
> stateful inspection is beyond belief (having my doubts they actually said
this...)
> ICMP is a perfect method for tunneling control connections for trojans, or
> for sending obscured hashed data containing information you wouldn't like
exposed.
To the best of my knowledge, no. I have not been able to identify any ICMP
state
table in the kernel memory. I have identified 4 tables within memory that
potenitally track ICMP. However, after testing these 4 tables, they do not
appear to do any statefull tracking of ICMP. I would greatly appreciate
anyone
who could provide more information.
The four tables in question:
firewall #fw tab -s | grep -i icmp
localhost icmp_connections 50 0
localhost icmp_requests 51 4
localhost icmp_replies 52 4
localhost icmp_errors 53 5
thanks!
lance
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
