[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] ICMP and MTU path discovery
If u have a rule that say 'any firewall any drop "no logging" then you achieve stealth ;0) -----Original Message----- From: Mailing list for discussion of Firewall-1 [mailto:[email protected]] On Behalf Of Tim Jones Sent: Wednesday, January 23, 2002 5:26 PM To: [email protected] Subject: Re: [FW-1] ICMP and MTU path discovery On a somewhat-related note, I'm wondering what the easiest way is to prevent FW-1 from sending out "UDP Port Unreachable" messages for traffic destined to the firewall itself. Makes port scanning pretty easy for an attacker. Is this something I'd have to add a rule for, or is there a checkbox somewhere? The firewall doesn't seem to send TCP resets when connection attempts are made to closed ports, so I'm a bit confused as to why the same "make the firewall as invisible as possible" philosophy isn't being done with UDP as well. Tim --- Ken Welsh <[email protected]> wrote: > Create an ICMP Service as follows: > > Name: fragment-needed (or whatever you want > to call it) > Comment: (whatever you want) > Match: ( icmp, icmp_type=3, icmp_code=4 ) > > Add in a rule that allows just this service and you > should be right. > > Regards, > > Ken... > > > > > > Lupinum Lupus > <[email protected]> > Sent by: Mailing list for > discussion To: > [email protected] > of Firewall-1 > cc: > > <[email protected] Subject: > [FW-1] ICMP and MTU path discovery > point.com> > > > 21/01/2002 20:35 > Please respond to Mailing list > for > discussion of Firewall-1 > > > > > > > Hello there, > > I have a question about what ICMP types to let > through the FW. To let hosts > from outside find out the MTU for a connection > through our FW we have to > let some ICMP services pass through. especialy ICMP > type 3, code 4 > (Fragmentation needed but DON'T FRAGMENT bit set). > This one is needed to > let a host know it has to make his MTU size smaller > for this connection. > > In FW-1 4.1 the "ICMP-DEST-UNREACHABLE" service is > defined. Am I correct in > assuming that this includes every type 3 icmp > packet? including: > 3 Destination unreachable. > 3 0 Net unreachable. > 3 1 Host unreachable. > 3 2 Protocol unreachable. > 3 3 Port unreachable. > 3 4 Fragmentation needed and DF set. > 3 5 Source route failed. > > If this is the case then: > can I define a service for ICMP type3, code4 > separatly? > > Is there any harm in letting every code of type 3 > through? > > Thanks in advance, > > Lupinum, Netherlands > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/ ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|