Mailing list for discussion of Firewall-1 wrote:
> On 9/29/05, Maurit Pereira Fagundes <MAURIT AT fgv DOT br> wrote:
> > Hello all,
> >
> > In global properties there is an option: Accept ICMP
> > requests. I want to avoid that people in internet ping and
> > run the tracerout command against my dmz servers.
> > what is the better way to do this? disabling this option in
> > global proterties or creating a rule base to do this? If i
> > create a rule base i must disable this option in rule base?
> >
> > thanks in advance.
>
> Normally you would have the global option turned off. You can then
> allow any specific ICMP that you do want (e.g. from your monitoring
> server) with the use of a normal rule.
>
> If you turn the option on in your global properties, it effectively
> just adds another rule. Go View -> Implied Rules to see the rules that
> are added. Better to turn it off, and explicitly define the rule
> youself. If the global option is turned off, and you don't have any
> rules allowing it, it will be dropped - which is what you want, yes?
>
> - Lindsay
Hello All,
Just a reminder about PMTUd. Always make sure ICMP Fragmentation Needed
and Don't Fragment was Set (type 3 code 4) is allowed.
Otherwise PMTUd will not work and might cause hard to find problems.
Yes i have first hand expirience and no it is not fun.
See also
<http://www.faqs.org/faqs/computer-security/most-common-qs/section-18.ht
ml>
GRTNX,
RobJE
--
Home is near Enter. ((c) RonA)
========================================================================
Tel: +31 - 317 - 399800 s-mail: P.O. box 617
Fax: +31 - 317 - 423164 6700 AP Wageningen
MailTo: r.epping AT weer DOT nl WWW: http://www.weer.nl/
--
De inhoud van dit bericht is vertrouwelijk en alleen bestemd voor de
geadresseerde(n). Anderen dan de geadresseerde(n) mogen het bericht niet
gebruiken, openbaar maken, op enige wijze verspreiden of vermenigvuldigen.
Meteo Consult B.V. kan niet aansprakelijk gesteld worden voor een incomplete
aankomst of vertraging van dit verzonden bericht.
The content of this message is confidential and only intended for the
addressee(s). Others than the addressee(s) are not allowed to use this message,
to make it public or to distribute or multiply this message in any way. Meteo
Consult B.V. cannot be held responsible for incomplete reception or delay of
this transferred message.
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
