Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] stateful inspection?

To: Patrick Lotti <[email protected]>, "[email protected]" <[email protected]>
Subject: Re: [FW1] stateful inspection?
From: Rajeev Kumar <[email protected]>
Date: Fri, 5 Oct 2001 11:11:45 -0400
In-reply-to: <[email protected]>
References: <[email protected]>
Reply-to: [email protected]
Sender: [email protected]

HTTP is stateful. So as you said that is working if remote HTTP server found. 
But if some intermediate router restrict your path to destination HTTP server 
and send  ICMP error message then your Firewall won't know if this is part of 
your HTTP request because that error message comes from some unknown 
router/gateway.

Solution:
    Ignore this. i,e wait for timeout.

or

Allow following rule in your firewall if you feel comfortable. This will 
allow ICMP replies.

Any   <YOURNET>  {dest-unreach,echo-reply,time-exceeded}  ACCEPT


Rajeev

On Thursday 04 October 2001 03:04, Patrick Lotti wrote:
> Hi all!
>
> just wonder how to configure the following:
> I'd like to allow outgoing http only. That works fine as long
> as there are no icmp-unreachable or other icmp messages: They
> are dropped, even though they are directy related to the http
> request.
> Is there an easy fix, or would it require some inspect coding?
>
> Best Regards,
> Patrick Lotti
>
>
> ===========================================================================
>===== To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===========================================================================
>=====

-- 
********************************************************************
	Rajeev Kumar ([email protected])
		http://www.rajeevnet.com
********************************************************************
-- PGP PUBLIC KEY -- http://www.rajeevnet.com/crypto/mypubkey
********************************************************************
What's New on rajeevnet.com:
o Unix/Windows password Sync: 
    http://www.rajeevnet.com/linux/passwd_sync/passwd_sync.html
o Wonders of 'dd' and 'netcat' :: Cloning Operating Systems
    http://www.rajeevnet.com/tips_hints/os_clone/os_cloning.html
********************************************************************


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

References:
- [FW1] stateful inspection?
  - From: Patrick Lotti <[email protected]>

Prev by Date: RE: [FW1] Trend Micro's Viruswall ??
Next by Date: RE: [FW1] Weird traffic to port 10101
Previous by thread: [FW1] stateful inspection?
Next by thread: [FW1] tired
Index(es):
- Date
- Thread