[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] stateful inspection?
HTTP is stateful. So as you said that is working if remote HTTP server found. But if some intermediate router restrict your path to destination HTTP server and send ICMP error message then your Firewall won't know if this is part of your HTTP request because that error message comes from some unknown router/gateway. Solution: Ignore this. i,e wait for timeout. or Allow following rule in your firewall if you feel comfortable. This will allow ICMP replies. Any <YOURNET> {dest-unreach,echo-reply,time-exceeded} ACCEPT Rajeev On Thursday 04 October 2001 03:04, Patrick Lotti wrote: > Hi all! > > just wonder how to configure the following: > I'd like to allow outgoing http only. That works fine as long > as there are no icmp-unreachable or other icmp messages: They > are dropped, even though they are directy related to the http > request. > Is there an easy fix, or would it require some inspect coding? > > Best Regards, > Patrick Lotti > > > =========================================================================== >===== To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > =========================================================================== >===== -- ******************************************************************** Rajeev Kumar ([email protected]) http://www.rajeevnet.com ******************************************************************** -- PGP PUBLIC KEY -- http://www.rajeevnet.com/crypto/mypubkey ******************************************************************** What's New on rajeevnet.com: o Unix/Windows password Sync: http://www.rajeevnet.com/linux/passwd_sync/passwd_sync.html o Wonders of 'dd' and 'netcat' :: Cloning Operating Systems http://www.rajeevnet.com/tips_hints/os_clone/os_cloning.html ******************************************************************** ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|