Clarrisa,
--- Clarrisa Wright <[EMAIL PROTECTED]> wrote: > i would like to allow icmp and traceroute between 2 networks on either side > of my firewall. I am wondering if i have to turn on "Accept ICMP Before > Last" in the policy properties, because obviously one of the hops from > subnet to subnet will be the firewall interfaces > on both sides. the 'before last' does not refer to how many hops the packet travels but to where in the rule base the implicit rule "allow all icmp" will be injected. 'before last' will be just before the default drop rule. > i have found that if i uncheck "Accept ICMP" in the policy, > i get timeout marks like this: * * * when the traffic hits the firewall. I > don't want to keep this on unless i have to. any ideas? Can't I just have > "Accept ICMP" unchecked and put in explicit ping rules? > you do not need to check the "Accept ICMP" box to achieve what you want. checking that box would punch a hole in the firewall that is bigger than you need. as a first step, you can put in rules like: SOURCE DESTINATION SERVICE ACTION net1 net2 icmp-proto pass net2 net1 icmp-proto pass net1 net2 traceroute pass (unix traceroute uses udp so the icmp rules won't catch it). if you use the Windows 'tracert', the 3rd rule may not be necessary, I think tracert uses icmp in both directions (?). Phoneboy (http://www.phoneboy.com) has a recipe for doing this even better, not allowing all icmp but only the icmp packets you need for ping and traceroute. > thanks :) > > -Sa > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp > > > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ > ===== Avishai Wool, Ph.D., Chief Scientist & Co-Founder, Lumeta Corp. 220 Davidson Ave, 4th Floor, Somerset, NJ 08873, USA Email: [EMAIL PROTECTED] Web: http://research.lumeta.com/yash/ Phone: (732) 357-3511 Cell: (973) 420-5919 Fax: (732) 564-0731 ** Want to audit or debug your firewall's policy? ** Lumeta Firewall Analyzer: http://www.lumeta.com/firewall.html __________________________________________________ Do You Yahoo!? NEW from Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. http://geocities.yahoo.com/ps/info1 ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
