ICMP on FireWall-1 is not inherently stateful -- that is, it does not populate a connections table to automatically allow the reverse connection.
KMoussavi wrote:
TWIMC,
I'm currently trying to restrict ICMP and traceroute "statefully" to FW1 (NT) from the outside. How is this possible without disrupting VPN ICMP? I've looked at the INSTINCT scripts that have been posted on PHONEBOY but they do have some bugs in them. Is there another way without having to use INSTINCT?
Thank You
Keyvan
