Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [FW-1] RES: [FW-1] ICMP Packets

from netadmn [Permanent Link]
Subject: Re: [FW-1] RES: [FW-1] ICMP Packets
From: netadmn <netadmin AT KIRTLANDFCU DOT ORG>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Thu, 29 Sep 2005 15:11:41 -0600 
So I am trying to ping a server running Multinet from a workstation, both of
which are on my local network. The server running Multinet is in an address
range 192.168.1.### and the workstation is in an address range of
192.168.0.###, both having a subnet of 255.255.252.0. When the server
running Multinet responds it gets dropped by the firewall with the following
reason:

Icmp-type:0;icmp-code:0;message_info:ICMP packet out of state

Any ideas why this is happening and how I can resolve it?

Thanks,

Dennis

-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Lee, 
Jacob
Sent: Thursday, September 29, 2005 9:17 AM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] RES: [FW-1] ICMP Packets

The recommendation by Lindsay is a sound recommendation for your web
servers.

One other thing to consider when you create your icmp rules:

If you have a UDP service that's above port 33434, you might have
problems with some versions of Checkpoint... specifically FP3. If this
is the case, then you will have to make sure your icmp rule is BELOW the
rule of the permitted UDP > 33434 service.

Hope this helps.


-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Maurit
Pereira Fagundes
Sent: Thursday, September 29, 2005 10:47 AM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: [FW-1] RES: [FW-1] ICMP Packets

Thanks Lindsay.

Yes,it is what i want. but what is the best practice recomended for this
issue? 
I read that block icmp traffic sometimes can not be very good because of
udp traffic. is this true?

I dont want people in internet pinging my web servers.

thanks again to all.


-----Mensagem original-----
De: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM]Em nome de Lindsay
Hill
Enviada em: quinta-feira, 29 de setembro de 2005 11:29
Para: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Assunto: Re: [FW-1] ICMP Packets


Normally you would have the global option turned off. You can then
allow any specific ICMP that you do want (e.g. from your monitoring
server) with the use of a normal rule.

If you turn the option on in your global properties, it effectively
just adds another rule. Go View -> Implied Rules to see the rules that
are added. Better to turn it off, and explicitly define the rule
youself. If the global option is turned off, and you don't have any
rules allowing it, it will be dropped - which is what you want, yes?

 - Lindsay


On 9/29/05, Maurit Pereira Fagundes <MAURIT AT fgv DOT br> wrote:
> Hello all,
>
> In global properties there is an option: Accept ICMP requests. I want
to avoid that people in internet ping and run the tracerout command
against my dmz servers.
> what is the better way to do this? disabling this option in global
proterties or creating a rule base to do this? If i create a rule base i
must disable this option in rule base?
>
> thanks in advance.
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================




----------------------------------------------------------------------------
--
This message is intended only for the personal and confidential use of the
designated recipient(s) named above.  If you are not the intended recipient
of this message you are hereby notified that any review, dissemination,
distribution or copying of this message is strictly prohibited.  This
communication is for information purposes only and should not be regarded as
an offer to sell or as a solicitation of an offer to buy any financial
product, an official confirmation of any transaction, or as an official
statement of Lehman Brothers.  Email transmission cannot be guaranteed to be
secure or error-free.  Therefore, we do not represent that this information
is complete or accurate and it should not be relied upon as such.  All
information is subject to change without notice.
--------
IRS Circular 230 Disclosure:
Please be advised that any discussion of U.S. tax matters contained within
this communication (including any attachments) is not intended or written to
be used and cannot be used for the purpose of (i) avoiding U.S. tax related
penalties or (ii) promoting, marketing or recommending to another party any
transaction or matter addressed herein.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [FW-1] Smartdashboard Traditional Mode Vs. Simplified Mode, Diego Lastra Suarez
Next by Date:  Re: [FW-1] SmartDefense Worm Catcher, Les Ferrell
Previous by Thread:  [FW-1] RES: [FW-1] ICMP Packets, Maurit Pereira Fagundes
Next by Thread:  Re: [FW-1] RES: [FW-1] ICMP Packets, Lindsay Hill
Indexes:  [Date] [Thread] [Top] [All Lists]