[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: [FW1] ICMP Stateful or NOT ?
I wanted to add one more thing.... with 17+ different types of ICMP out there, I want to make sure I only allow what I want.... you don't need to allow ALL ICMP. (probably shouldn't) Jon Date: Wed, 10 Jan 2001 11:47:07 -0500 From: "Gaughan, Daniel" <[email protected]> Subject: RE: [FW1] ICMP Stateful or NOT ? That is good information. It kind of bridges the statefullness with allowing only specific ICMP. I will have to try it out to see if it works. Thanks, Daniel Gaughan - -----Original Message----- From: Byoung Sun Yu [mailto:[email protected]] Sent: Wednesday, January 10, 2001 11:43 AM To: Gaughan, Daniel; 'Carl E. Mankinen'; [email protected] Subject: RE: [FW1] ICMP Stateful or NOT ? Thanks for the information. I agree that allowing all icmp is not pleasant. However, there is a kind of limited tweak you can do that I once heard. I didn't have a chance to test this and don't know for sure it'll work or not. But it has a chance. Turn on Accept ICMP on the properties and set it to Last(in other words, after the clean up rule). Then have a rule to allow outgoing ICMP. Then incoming ICMP-reply will not be allowed unless there was an echo request went out within a minute past. Does this make sense? If you can generate echo reply with some tool, you can see if it works or not. I couldn't do that part. But who suggested this as better solution claims that it works. Finally, this is all from my old memory so it might be slightly incorrect in some part. Sorry for that. Thanks, Sun Yu, CISSP Lucent Worldwide Services ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|