Quick and dirty,
- Yes, you can replace the "Accept ICMP" with manually-defined rules, and it
will work the same way. The FW doesn't care. Just make sure that in terms
of ordering your rules you use the same reasoning/methodologies that you do
for, well, any other rules you want to actually work. :)
- Destination Unreachable, Time Exceeded, and Echo Reply, along with the
other specific codes/types, can be individually included or excluded as
services, just like anything else.
As far as what you should/shouldn't enable, that's largely a matter of the
situation you're in and using your best judgment. I would prefer to have
ICMP off all the time, period. But it makes certain kinds of
troubleshooting a royal pain. :)
-----Original Message-----
From: Steve Loughran [mailto:[email protected]]
Sent: Wednesday, June 12, 2002 2:12 AM
To: [email protected]
Subject: [FW-1] "Accept ICMP"
Hi all
FW-1 v4.1
Under the policy editor menu:
Policy -> Properties
There is an option for "Accept ICMP". If I leave it enabled (First or Before
Last), then anyone can still ping the firewall. If I set the option to Last,
then the last `drop everything` rule will stop this (which means it is a bit
pointless having a `Last` option).
If I totally disable "Accept ICMP", what rules would I need to add to the FW
to allow ICMP for things like destination unreachable, time exceeded
messages and echo reply to work? Are there any other ICMP messages I should
allow inbound to the firewall? Ad will FW-1 forward on these ICMP messages
tro the correct internal host if I disable "Accept ICMP" but add the correct
rule for the allowed ICMP messages?
Any help would be greatly appreciated.
--
Steve
-------------------------------------------------
Steve Loughran, Network Infrastructure Manager
Sony Computer Entertainment Europe (Cambridge)
Home Page -> http://sl.scee.sony.co.uk/
Yamaha YZF1000R Thunderace
ICQ#: 12666311 (Work), 104426046 (Laptop)
Team Waste - Where do you want to go wrong today?
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================