| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: RE: [FW1] ICMP Stateful or NOT ?
In 4.1 SP3 there is no ICMP group... and to the best of my memory there
never has been.. going back to 3.0b ..... I vaguely remember 2.5 and never
saw 1.1
If you "turn on" ICMP in Policy Properties your rule looks like:
any any ICMP accept
Unfortunately with an implied psuedo rule there is no way to discriminate
"which: ICMP service you are allowing through, right ? (unless you start
hacking the Objects.c file)
If you look into the objects.c file you will see that when you turn on ALLOW
ICMP, you are letting 13 types of ICMP pass right on through your FW.
That is why it is now turned off by default, as of 4.1
ICMP proto has the match entry set to "1"
: (icmp-proto
:type (icmp)
:exp (1)
:inexp ()
:outexp ()
:prolog ()
:comments ()
:color ("Dark Orchid")
)
: (echo-reply
:type (Icmp)
:exp ("icmp_type=ICMP_ECHOREPLY")
:color ("Dark Orchid")
)
: (dest-unreach
:type (Icmp)
:exp ("icmp_type=ICMP_UNREACH")
:color ("Dark Orchid")
)
: (redirect
:type (Icmp)
:exp ("icmp_type=ICMP_REDIRECT")
:color ("Dark Orchid")
)
: (echo-request
:type (Icmp)
:exp ("icmp_type=ICMP_ECHO")
:color ("Dark Orchid")
)
: (source-quench
:type (Icmp)
:exp ("icmp_type=ICMP_SOURCEQUENCH")
:color ("Dark Orchid")
:show_in_menus (false)
)
: (time-exceeded
:type (Icmp)
:exp ("icmp_type=ICMP_TIMXCEED")
:color ("Dark Orchid")
:show_in_menus (false)
)
: (param-prblm
:type (Icmp)
:exp ("icmp_type=ICMP_PARAMPROB")
:color ("Dark Orchid")
:show_in_menus (false)
)
: (timestamp
:type (Icmp)
:exp ("icmp_type=ICMP_TSTAMP")
:color ("Dark Orchid")
:show_in_menus (false)
)
: (timestamp-reply
:type (Icmp)
:exp ("icmp_type=ICMP_TSTAMPREPLY")
:color ("Dark Orchid")
:show_in_menus (false)
)
: (info-req
:type (Icmp)
:exp ("icmp_type=ICMP_IREQ")
:color ("Dark Orchid")
:show_in_menus (false)
)
: (info-reply
:type (Icmp)
:exp ("icmp_type=ICMP_IREQREPLY")
:color ("Dark Orchid")
:show_in_menus (false)
)
: (mask-request
:type (Icmp)
:exp ("icmp_type=ICMP_MASKREQ")
:color ("Dark Orchid")
:show_in_menus (false)
)
: (mask-reply
:type (Icmp)
:exp ("icmp_type=ICMP_MASKREPLY")
:color ("Dark Orchid")
:show_in_menus (false)
Jon
----- Original Message -----
From: "Anders Reed Mohn" <[email protected]>
To: <[email protected]>
Sent: Thursday, January 11, 2001 5:59 AM
Subject: Ang: RE: [FW1] ICMP Stateful or NOT ?
Yeah, but turning on "Allow ICMP" in FW-1 does not allow _all_ ICMP,
if that's what you're worried about.
In fact, the allowed services are grouped (I think) as ICMP_proto,
which is probably the most useless object in the FW, as it only
allows a couple of ICMP types (don't remember the exact ones,
but they are listed in the archives for this list, about three months back,)
As far as I remember, it does not allow the dest. unreachable or
time_exceeded, which are quite necessary for making such things
as PING or TRACEROUTE to work ...
Thus you need your own rules to make them go through ..
Anders :)
>>> "Jon Vandiveer" <[email protected]> 10.01.01 20:58 >>>
I wanted to add one more thing.... with 17+ different types of ICMP out
there, I want to make sure I only allow what I want.... you don't need to
allow ALL ICMP. (probably shouldn't)
Jon
Date: Wed, 10 Jan 2001 11:47:07 -0500
From: "Gaughan, Daniel" <[email protected]>
Subject: RE: [FW1] ICMP Stateful or NOT ?
That is good information. It kind of bridges the statefullness with allowing
only specific ICMP. I will have to try it out to see if it works.
Thanks,
Daniel Gaughan
- -----Original Message-----
From: Byoung Sun Yu [mailto:[email protected]]
Sent: Wednesday, January 10, 2001 11:43 AM
To: Gaughan, Daniel; 'Carl E. Mankinen';
[email protected]
Subject: RE: [FW1] ICMP Stateful or NOT ?
Thanks for the information.
I agree that allowing all icmp is not pleasant. However, there is a kind of
limited tweak you can do that I once heard. I didn't have a chance to test
this and don't know for sure it'll work or not. But it has a chance.
Turn on Accept ICMP on the properties and set it to Last(in other words,
after the clean up rule).
Then have a rule to allow outgoing ICMP. Then incoming ICMP-reply will not
be allowed unless there was an echo request went out within a minute past.
Does this make sense? If you can generate echo reply with some tool, you can
see if it works or not. I couldn't do that part. But who suggested this as
better solution claims that it works.
Finally, this is all from my old memory so it might be slightly incorrect in
some part. Sorry for that.
Thanks,
Sun Yu, CISSP
Lucent Worldwide Services
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
----------------------------------------------------------------------------
----
>
> **********************************************************************
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager.
>
> This footnote also confirms that this email message has been swept by
> tools utilized in our company for the presence of computer viruses.
>
> System manager : [email protected]
>
> **********************************************************************
>
>
>
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
|
|
