Search

	display results
words begin exact words any words part

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] ICMP and MTU path discovery

To: [email protected]
Subject: Re: [FW-1] ICMP and MTU path discovery
From: Ken Welsh <[email protected]>
Date: Tue, 22 Jan 2002 08:45:54 +1000
Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
Sender: Mailing list for discussion of Firewall-1 <[email protected]>

Create an ICMP Service as follows:

     Name:     fragment-needed (or whatever you want to call it)
     Comment:  (whatever you want)
     Match:    ( icmp, icmp_type=3, icmp_code=4 )

Add in a rule that allows just this service and you should be right.

Regards,

Ken...





                    Lupinum Lupus <[email protected]>
                    Sent by: Mailing list for discussion        To:     [email protected]
                    of Firewall-1                               cc:
                    <[email protected]        Subject:     [FW-1] ICMP and MTU path discovery
                    point.com>


                    21/01/2002 20:35
                    Please respond to Mailing list for
                    discussion of Firewall-1






Hello there,

I have a question about what ICMP types to let through the FW. To let hosts
from outside find out the MTU for a connection through our FW we have to
let some ICMP services pass through. especialy ICMP type 3, code 4
(Fragmentation needed but DON'T FRAGMENT bit set). This one is needed to
let a host know it has to make his MTU size smaller for this connection.

In FW-1 4.1 the "ICMP-DEST-UNREACHABLE" service is defined. Am I correct in
assuming that this includes every type 3 icmp packet? including:
3               Destination unreachable.
3       0       Net unreachable.
3       1       Host unreachable.
3       2       Protocol unreachable.
3       3       Port unreachable.
3       4       Fragmentation needed and DF set.
3       5       Source route failed.

If this is the case then:
can I define a service for ICMP type3, code4 separatly?

Is there any harm in letting every code of type 3 through?

Thanks in advance,

Lupinum, Netherlands

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================

Follow-Ups:
- Re: [FW-1] ICMP and MTU path discovery
  - From: Tim Jones <[email protected]>

Prev by Date: Re: [FW-1] D-Link DFE-570TX Quad Channel Card
Next by Date: Re: [FW-1] IDS and Hot Standby
Previous by thread: Re: [FW-1] ICMP and MTU path discovery
Next by thread: Re: [FW-1] ICMP and MTU path discovery
Index(es):
- Date
- Thread