[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW-1] ICMP type 5 dropped
Hello, We are having a strange problem with ICMP redirect messages (Type 5). Our firewall is dropping them for certain routes (10.x.x.x subnets), but not for others. The 10.x.x.x subnets are across a router that is on the same subnet as the fw's internal interface. The fw has a route: 10.8.0.0 mask 255.255.0.0 <router> (yes it is Win2k) The FW is NG FP1, running on Windows 2000 SP2. In the policy properties, under "Stateful Inspection", both "Accept stateful ICMP replies" and "Accept stateful ICMP errors" are enabled. In the "Implied Rules" section, we have "Accept ICMP First" set. In the rulebase, we have the rule <fw object>-Any-Any-Accept and yet, when a system on the internal network attempts to ping the 10.8/16 network, the ICMP redirect is dropped with the message "ICMP-type 5 ICMP-Code 1 message_info ICMP packet out of state" The strange thing is, redirects to another subnet (130.1.1/24) appear to be working properly. And type 5 messages are the only one being dropped as "out of state". Are we overlooking something? Does NG handle these reserved private subnet numbers differently? Thanks, Jeff Martin Security Administrator PMA Re Management Co ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|