[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] why there is only one way connection?
> I had a Check Point Firewall-1 4.0 installed in a Sun Box and > it is located in our bangkok branch (the other side of the WAN). I had a > problem that I > can't solved. From our workstations in Singapore, I can ping > to the the > Firewall in bangkok, but from the bangkok firewall, I can not > ping to any > workstations in Singapore, but it can ping to those > workstations in Bangkok > Could you please tell me what could be wrong? First of all, did you check both Firewall logs, to see whether these ICMP packets show up anywhere? > 1)If I enable a rule in Firewall source:A Destination:B > services:(ICMP) > Action:Accept, it make A can ping to B, does it mean that the > rule also > enable B to ping to A? No. The rule specifically says that the SOURCE must be A. If you ping from B to a, SOURCE = B, and thus your rule will not allow it. > 2)I saw the properties of FW implied rule, there are > something like 1)Last > 2)First 3)Before Last What is the meaning? This is about where the FW places the implied rules. This is important because FW-1 parses the rule base in the order that you have specified the rules. The first matching rule "wins". If you specify Last, the implied rule will be added at the bottom of the rule base, after the last rule you created. If you specify First, it will be set before rule #1. Before last means: just before the last rule. I have chosen to allow certain ICMP packets, through specific rules, I don't use the implied rules for that. This allows me to control exactly which ICMP types I want to accept. I added these rules at the top of my rule base (well, high up anyway, but that's not important) However, someone said that you need to enable the "Accept ICMP" setting in order to have FW-1 do stateful inspection for ICMP. (Which is now said to be working, in the latest versions.) So, in order to both use my own rules, and have the "rule 0" stuff on at the same time, I've set "Accept ICMP: Last". This way, the auto rule is all the way at the bottom, behind my "any any drop"-rule, and will therefore never come into effect. My own rules, further up will then make all the decisions for the packets that come in. Cheers, Anders :) =============================================== To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ===============================================
|