NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] ICMP type 5 dropped



> We are having a strange problem with ICMP redirect messages (Type 5). Our
> firewall is dropping them for certain routes (10.x.x.x subnets), but not for
> others.
ICMP redirects are an error code, and not a utility for building a
network. They are there to work around temporary problems, and to let you
know that something is not configured right.

There are three ways to handle this sort of problem:
Add a specific route for the network in question through your internal
router on each of the systems affected. Yes, actually add a route on every
system on your internal network through the internal router for the
affected network. This can be done via logon scripts or manually.

Add an internal router that routes between the internal networks and the
firewall.

Move the existing router to a spare interface on the firewall and let the
firewall route traffic.

ICMP is not the way to solve this problem.

-Don

> The 10.x.x.x subnets are across a router that is on the same subnet as the
> fw's internal interface. The fw has a route:
>
> 10.8.0.0 mask 255.255.0.0 <router> (yes it is Win2k)
>
> The FW is NG FP1, running on Windows 2000 SP2.
>
> In the policy properties, under "Stateful Inspection", both "Accept stateful
> ICMP replies" and "Accept stateful ICMP errors" are enabled. In the "Implied
> Rules" section, we have "Accept ICMP First" set.
>
> In the rulebase, we have the rule
>
> <fw object>-Any-Any-Accept
>
> and yet, when a system on the internal network attempts to ping the 10.8/16
> network, the ICMP redirect is dropped with the message "ICMP-type 5
> ICMP-Code 1 message_info ICMP packet out of state"
>
> The strange thing is, redirects to another subnet (130.1.1/24) appear to be
> working properly. And type 5 messages are the only one being dropped as "out
> of state".
>
> Are we overlooking something? Does NG handle these reserved private subnet
> numbers differently?
>
> Thanks,
>
> Jeff Martin
>
> Security Administrator
>
> PMA Re Management Co
>
> =================================================
> To set vacation, Out Of Office, or away messages,
> send an email to [email protected]
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> [email protected]
> =================================================
>

=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.