[FW-1] RES: [FW-1] ICMP Packets

Subject:	[FW-1] RES: [FW-1] ICMP Packets
From:	Maurit Pereira Fagundes <MAURIT AT FGV DOT BR>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Thu, 29 Sep 2005 13:49:49 -0300

Lindsay,

Again, thank you very much. Your explanation will help a lot.

thanks everybody. this list is great!

cheers

-----Mensagem original-----
De: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM]Em nome de Lindsay
Hill
Enviada em: quinta-feira, 29 de setembro de 2005 12:20
Para: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Assunto: Re: [FW-1] ICMP Packets


Normally I wouldn't allow any ICMP from untrusted sources, unless I've
got a specific reason for it. VPNs come to mind. YMMV though, as Rob
has found out.

The UDP reference might be related to error detection - e.g. if I send
a UDP packet to a host, but it's not listening on that port, it can
send an ICMP port unreachable reply to tell me that port is closed,
and my client might decide to do something different. That way it can
speed up error detection. In that way, you get similar functionality
to a TCP reset if the port is closed.

However, since Check Point is a bit smarter, it can deal with ICMP
errors related to non-ICMP connections. Look in global properties,
Stateful Inspection. You don't need to specifically allow the ICMP
traffic.

Having said all that, are you actually allowing UDP traffic from the
Internet to your web servers anyway? I would presume not.

So disable the global property, then add rules allowing specifically
what you want. E.g. perhaps you're happy for outbound ICMP from your
network, and inbound type 3/code 4.


 - Lindsay

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] RES: [FW-1] ICMP Packets, Maurit Pereira Fagundes Re: [FW-1] RES: [FW-1] ICMP Packets, Lee, Jacob [FW-1] RES: [FW-1] ICMP Packets, Maurit Pereira Fagundes <= Re: [FW-1] RES: [FW-1] ICMP Packets, netadmn Re: [FW-1] RES: [FW-1] ICMP Packets, Lindsay Hill Re: [FW-1] RES: [FW-1] ICMP Packets, netadmn

Previous by Date:	Re: [FW-1] SecuerClient: policy is not loaded, cp user
Next by Date:	[FW-1] Smartdashboard Traditional Mode Vs. Simplified Mode, Diego Lastra Suarez
Previous by Thread:	Re: [FW-1] RES: [FW-1] ICMP Packets, Lee, Jacob
Next by Thread:	Re: [FW-1] RES: [FW-1] ICMP Packets, netadmn
Indexes:	[Date] [Thread] [Top] [All Lists]