[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] ICMP Stateful or NOT ?
Hi Lance, You are right about ICMP ..... but only one of the Developers in Isreal could "enlighten us" further. I think the only effective use of those tables is CPMAD..... Yes it would be nice to write some inspect script to tie the tables together and include a timeout........ but that is not my strong point, i.e. I'm going to leave that upto someone else, who doesn't mind voiding their support contract. Jon Date: Wed, 10 Jan 2001 20:51:43 -0600 (CST) From: Lance Spitzner <[email protected]> Subject: Re: [FW1] ICMP Stateful or NOT ? On Wed, 10 Jan 2001, Carl E. Mankinen wrote: > I seem to be reading quite a bit that even 4.X does not use stateful inspection > for ICMP requests. Is this in fact the case, or has CheckPoint corrected this > in the latest releases? > > For them to say that ICMP packets are harmless and thus do not require > stateful inspection is beyond belief (having my doubts they actually said this...) > ICMP is a perfect method for tunneling control connections for trojans, or > for sending obscured hashed data containing information you wouldn't like exposed. To the best of my knowledge, no. I have not been able to identify any ICMP state table in the kernel memory. I have identified 4 tables within memory that potenitally track ICMP. However, after testing these 4 tables, they do not appear to do any statefull tracking of ICMP. I would greatly appreciate anyone who could provide more information. The four tables in question: firewall #fw tab -s | grep -i icmp localhost icmp_connections 50 0 localhost icmp_requests 51 4 localhost icmp_replies 52 4 localhost icmp_errors 53 5 thanks! lance ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|