[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] ICMP and MTU path discovery
Create an ICMP Service as follows: Name: fragment-needed (or whatever you want to call it) Comment: (whatever you want) Match: ( icmp, icmp_type=3, icmp_code=4 ) Add in a rule that allows just this service and you should be right. Regards, Ken... Lupinum Lupus <[email protected]> Sent by: Mailing list for discussion To: [email protected] of Firewall-1 cc: <[email protected] Subject: [FW-1] ICMP and MTU path discovery point.com> 21/01/2002 20:35 Please respond to Mailing list for discussion of Firewall-1 Hello there, I have a question about what ICMP types to let through the FW. To let hosts from outside find out the MTU for a connection through our FW we have to let some ICMP services pass through. especialy ICMP type 3, code 4 (Fragmentation needed but DON'T FRAGMENT bit set). This one is needed to let a host know it has to make his MTU size smaller for this connection. In FW-1 4.1 the "ICMP-DEST-UNREACHABLE" service is defined. Am I correct in assuming that this includes every type 3 icmp packet? including: 3 Destination unreachable. 3 0 Net unreachable. 3 1 Host unreachable. 3 2 Protocol unreachable. 3 3 Port unreachable. 3 4 Fragmentation needed and DF set. 3 5 Source route failed. If this is the case then: can I define a service for ICMP type3, code4 separatly? Is there any harm in letting every code of type 3 through? Thanks in advance, Lupinum, Netherlands ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] ================================================= ================================================= To set vacation, Out Of Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|