|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Problems with ICMP filtering
Sebastian, Unfortunately, ICMP is NOT statefully inspected. Therefore, you're most likely accepting the outbound ICMP echo-requests, but dropping the return ICMP echo-replys. You can solve this by either creating a rule allowing "ANY" "that-one-internal-net" "ICMP-echo-reply" "allow", or simply tell people that they can't ping to the Internet period. I've successfully disabled ICMP to the Internet for this reason (there are TONS of things that an attacker could do using open ICMP tunnels - I won't go into that right now...) One thing I did, to compromise, is allow my internal nets to ping the next hop router out of our network (and allowed ICMP echo-replies back from it.) I then put a DNS alias in our internal DNS, for that next hop router, called "pingme.domain.com". That way, people can still test connectivity, but the holes are drastcally reduced. Hope this helps! Jason Sebastian Vieira Uribe wrote: > > Hi, > > I am using FW-1 4.0 and i have ICMP disabled as (Before Last) in the > properties dialog. > > I have a rule allowing any from one of the internal networks and all > services work from this network except PING. If i try to ping any > address in another network i always get a timeout. > > Anyone know what is happening here?? > > Regards, > > Sebastian Vieira > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
