Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] why there is only one way connection?

To: [email protected]
Subject: Re: [FW-1] why there is only one way connection?
From: "Reed Mohn, Anders" <[email protected]>
Date: Fri, 16 Nov 2001 11:23:26 +0100
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

> I had a Check Point Firewall-1 4.0 installed in a Sun Box and
> it is located in our bangkok branch (the other side of the WAN).  I had a
> problem that I
> can't solved.  From our workstations in Singapore, I can ping
> to the the
> Firewall in bangkok, but from the bangkok firewall, I can not
> ping to any
> workstations in Singapore, but it can ping to those
> workstations in Bangkok


> Could you please tell me what could be wrong?

First of all, did you check both Firewall logs, to see
whether these ICMP packets show up anywhere?


> 1)If I enable a rule in Firewall   source:A Destination:B
> services:(ICMP)
> Action:Accept, it make A can ping to B, does it mean that the
> rule also
> enable B to ping to A?

No. The rule specifically says that the SOURCE must be A.
If you ping from B to a, SOURCE = B, and thus your rule will
not allow it.


> 2)I saw the properties of FW implied rule, there are
> something like 1)Last
> 2)First 3)Before Last   What is the meaning?


This is about where the FW places the implied rules.
This is important because FW-1 parses the rule base
in the order that you have specified the rules.
The first matching rule "wins".

If you specify  Last, the implied rule will be added
at the bottom of the rule base, after the last rule
you created. If you specify First, it will be set before
rule #1. Before last means: just before the last rule.

I have chosen to allow certain ICMP packets, through specific rules,
I don't use the implied rules for that. This allows me to control
exactly which ICMP types I want to accept. I added these rules at
the top of my rule base (well, high up anyway, but that's not important)

However, someone said that you need to enable the "Accept ICMP" setting
in order to have FW-1 do stateful inspection for ICMP. (Which is now said
to be working, in the latest versions.)

So, in order to both use my own rules, and have the "rule 0" stuff on at the
same time, I've set "Accept ICMP: Last".
This way, the auto rule is all the way at the bottom, behind my "any any
drop"-rule,
and will therefore never come into effect. My own rules, further up will
then make all
the decisions for the packets that come in.

Cheers,
Anders :)

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

Prev by Date: Re: [FW-1] NAT problem
Next by Date: [FW-1] AW: [FW-1] why there is only one way connection?
Previous by thread: [FW-1] why there is only one way connection?
Next by thread: [FW-1] NAT problem
Index(es):
- Date
- Thread