|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] "Accept ICMP"
Quick and dirty, - Yes, you can replace the "Accept ICMP" with manually-defined rules, and it will work the same way. The FW doesn't care. Just make sure that in terms of ordering your rules you use the same reasoning/methodologies that you do for, well, any other rules you want to actually work. :) - Destination Unreachable, Time Exceeded, and Echo Reply, along with the other specific codes/types, can be individually included or excluded as services, just like anything else. As far as what you should/shouldn't enable, that's largely a matter of the situation you're in and using your best judgment. I would prefer to have ICMP off all the time, period. But it makes certain kinds of troubleshooting a royal pain. :) -----Original Message----- From: Steve Loughran [mailto:[email protected]] Sent: Wednesday, June 12, 2002 2:12 AM To: [email protected] Subject: [FW-1] "Accept ICMP" Hi all FW-1 v4.1 Under the policy editor menu: Policy -> Properties There is an option for "Accept ICMP". If I leave it enabled (First or Before Last), then anyone can still ping the firewall. If I set the option to Last, then the last `drop everything` rule will stop this (which means it is a bit pointless having a `Last` option). If I totally disable "Accept ICMP", what rules would I need to add to the FW to allow ICMP for things like destination unreachable, time exceeded messages and echo reply to work? Are there any other ICMP messages I should allow inbound to the firewall? Ad will FW-1 forward on these ICMP messages tro the correct internal host if I disable "Accept ICMP" but add the correct rule for the allowed ICMP messages? Any help would be greatly appreciated. -- Steve ------------------------------------------------- Steve Loughran, Network Infrastructure Manager Sony Computer Entertainment Europe (Cambridge) Home Page -> http://sl.scee.sony.co.uk/ Yamaha YZF1000R Thunderace ICQ#: 12666311 (Work), 104426046 (Laptop) Team Waste - Where do you want to go wrong today? ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
