Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Unable to tracert

To: <[email protected]>, <[email protected]>
Subject: RE: [FW1] Unable to tracert
From: "Larry Pingree" <[email protected]>
Date: Tue, 21 Aug 2001 11:54:55 -0700
Importance: Normal
In-reply-to: <[email protected]>
Sender: [email protected]

Windows Traceroute uses destination Unreachable messages coming back from
each router hop. You'd need to allow this back into your network for
Traceroute to work.





-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Larry Pingree
Sr. Security Engineer/Check Point Instructor
CCSA, CCSE, CCSI, ICE, ICI, NSA

Website: http://www.SiegeWorks.com <http://www.siegeworks.com/>
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


-----Original Message-----
From: [email protected]
[mailto:[email protected]]On Behalf Of
Rusdyanto Tardjono
Sent: Friday, August 17, 2001 9:25 PM
To: [email protected]
Subject: [FW1] Unable to tracert



Dear lists,

I am using Checkpoint FW-1 4.1 still SP1 under Windows NT 4.0 Server SP 6.
I 'm wondering that I can't do traceroute from the FW module itself to any
but I can ping to any with no problem from FW module.
In my rule base, I have the following rule:

	Source		Destination	Service			Action
	Any		FW		ICMP Echo Reply	Accept

I have also tried to open built-in Traceroute service, but still unable to
do so.
>From ANY, I purposely block any ICMP so outsiders can't ping and traceroute
to my FW and DMZ.

Under Policy menu -> Properties -> Security Policy tab, I deselect Accept
ICMP.  Only if I select Accept ICMP, I can traceroute from FW as well as
from outside can ping and traceroute to my FW which I don't want it this
way.
I remember the traceroute used to work. My rulebase is about the same when
it used to work.  Any help will be appreciated.
Thanks.


Rusdy




============================================================================
====
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
============================================================================
====




================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Follow-Ups:
- [FW1] Service Pack
  - From: "David Brazil" <[email protected]>
- RE: [FW1] Unable to tracert
  - From: "Larry Pingree" <[email protected]>

References:
- [FW1] Unable to tracert
  - From: "Rusdyanto Tardjono" <[email protected]>

Prev by Date: [FW1] domain-tcp drops
Next by Date: RE: [FW1] Question on a Web Server Rule
Previous by thread: [FW1] Unable to tracert
Next by thread: [FW1] Service Pack
Index(es):
- Date
- Thread