Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] Ping Rules Across Firewall help

To: Clarrisa Wright <[email protected]>, [email protected]
Subject: Re: [FW1] Ping Rules Across Firewall help
From: Avishai Wool <[email protected]>
Date: Wed, 3 Oct 2001 12:33:53 -0700 (PDT)
In-reply-to: <[email protected]>
Reply-to: [email protected]
Sender: [email protected]

Clarrisa,

--- Clarrisa Wright <[email protected]> wrote:
> i would like to allow icmp and traceroute between 2 networks on either side 
> of my firewall. I am wondering if i have to turn on "Accept ICMP Before 
> Last" in the policy properties,  because obviously one of the hops from 
> subnet to subnet will be the firewall interfaces
> on both sides.   

the 'before last' does not refer to how many hops the packet travels
but to where in the rule base the implicit rule "allow all icmp" will be 
injected. 'before last' will be just before the default drop rule.

> i have found that if i uncheck "Accept ICMP" in the policy, 
> i get timeout marks like this: * * * when the traffic hits the firewall.  I 
> don't want to keep this on unless i have to. any ideas? Can't I just have 
> "Accept ICMP" unchecked and put in explicit ping rules?
> 

you do not need to check the "Accept ICMP" box to achieve what you want.
checking that box would punch a hole in the firewall that is bigger than
you need. as a first step, you can put in rules like:

 SOURCE DESTINATION SERVICE       ACTION
  net1     net2     icmp-proto     pass
  net2     net1     icmp-proto     pass
  net1     net2     traceroute     pass

(unix traceroute uses udp so the icmp rules won't catch it).
if you use the Windows 'tracert', the 3rd rule may not be necessary,
I think tracert uses icmp in both directions (?).

Phoneboy (http://www.phoneboy.com) has a recipe for doing this even better,
not allowing all icmp but only the icmp packets you need for ping 
and traceroute. 

> thanks :)
> 
> -Sa
> 
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
> 
> 
> 
>
================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
>
================================================================================
> 

=====
Avishai Wool, Ph.D.,  Chief Scientist & Co-Founder, Lumeta Corp.
220 Davidson Ave, 4th Floor, Somerset, NJ 08873, USA
Email: [email protected]        Web: http://research.lumeta.com/yash/
Phone:Cell:Fax:** Want to audit or debug your firewall's policy? **
Lumeta Firewall Analyzer: http://www.lumeta.com/firewall.html

__________________________________________________
Do You Yahoo!?
NEW from Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month.
http://geocities.yahoo.com/ps/info1

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- [FW1] Ping Rules Across Firewall help
  - From: "Clarrisa Wright" <[email protected]>

Prev by Date: Re: [FW1] Intel Pro/100 S
Next by Date: Re: [FW1] Wierd traffic to port 10101
Previous by thread: [FW1] Ping Rules Across Firewall help
Next by thread: Re: [FW1] Ping Rules Across Firewall help
Index(es):
- Date
- Thread