NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FW-1] ICMP type 5 dropped



Hello,

We are having a strange problem with ICMP redirect messages (Type 5). Our
firewall is dropping them for certain routes (10.x.x.x subnets), but not for
others.

The 10.x.x.x subnets are across a router that is on the same subnet as the
fw's internal interface. The fw has a route:

10.8.0.0 mask 255.255.0.0 <router> (yes it is Win2k)

The FW is NG FP1, running on Windows 2000 SP2.

In the policy properties, under "Stateful Inspection", both "Accept stateful
ICMP replies" and "Accept stateful ICMP errors" are enabled. In the "Implied
Rules" section, we have "Accept ICMP First" set.

In the rulebase, we have the rule

<fw object>-Any-Any-Accept

and yet, when a system on the internal network attempts to ping the 10.8/16
network, the ICMP redirect is dropped with the message "ICMP-type 5
ICMP-Code 1 message_info ICMP packet out of state"

The strange thing is, redirects to another subnet (130.1.1/24) appear to be
working properly. And type 5 messages are the only one being dropped as "out
of state".

Are we overlooking something? Does NG handle these reserved private subnet
numbers differently?

Thanks,

Jeff Martin

Security Administrator

PMA Re Management Co

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.