[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] ICMP and MTU path discovery
Hi, only the ICMP types are pre-defined. But you can define the ICMP code also. In the Service Manager create a new ICMP Service with a name of your choice. In the Field "Match" type icmp_type=ICMP_UNREACH, icmp_code=4 and put it into your rulebase. Then you will have type 3, code 4 - "Fragmentation needed and DF set" Hope it helps, best regards, Matthias http://www.fw-1.de Lupinum Lupus wrote: > Hello there, > > I have a question about what ICMP types to let through the FW. To let hosts > from outside find out the MTU for a connection through our FW we have to > let some ICMP services pass through. especialy ICMP type 3, code 4 > (Fragmentation needed but DON'T FRAGMENT bit set). This one is needed to > let a host know it has to make his MTU size smaller for this connection. > > In FW-1 4.1 the "ICMP-DEST-UNREACHABLE" service is defined. Am I correct in > assuming that this includes every type 3 icmp packet? including: > 3 Destination unreachable. > 3 0 Net unreachable. > 3 1 Host unreachable. > 3 2 Protocol unreachable. > 3 3 Port unreachable. > 3 4 Fragmentation needed and DF set. > 3 5 Source route failed. > > If this is the case then: > can I define a service for ICMP type3, code4 separatly? > > Is there any harm in letting every code of type 3 through? > > Thanks in advance, > > Lupinum, Netherlands > > ================================================= > To set vacation, Out Of Office, or away messages, > send an email to [email protected] > in the BODY of the email add: > set fw-1-mailinglist nomail > ================================================= > To unsubscribe from this mailing list, > please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================= > If you have any questions on how to change your > subscription options, email > [email protected] > ================================================= -- AERAsec Network Services and Security GmbH Wagenberger Straße 1 D-85662 Hohenbrunn, Germany http://www.aerasec.de ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|