You're exactly right. The multinet machine was routing the packets through
the firewall. After I set it to route the packets through a router instead I
was successful in making a telnet session.
Thanks,
Dennis
-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of Lindsay
Hill
Sent: Thursday, September 29, 2005 11:49 PM
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] RES: [FW-1] ICMP Packets
With a subnet mask like that, both of those systems are in the same
subnet, right? So what's the firewall got to do with it? Why would
the traffic be going through the firewall at all?
I would say check your subnet masks, and routes.
Also check the frames being dropped at the firewall with tcpdump -e -
you should see if the Multinet box is trying to route the frames via
the firewall, instead of sending them direct to the workstation.
- Lindsay
On 29 Sep 2005, at 22:11, netadmn wrote:
> So I am trying to ping a server running Multinet from a
> workstation, both of
> which are on my local network. The server running Multinet is in an
> address
> range 192.168.1.### and the workstation is in an address range of
> 192.168.0.###, both having a subnet of 255.255.252.0. When the server
> running Multinet responds it gets dropped by the firewall with the
> following
> reason:
>
> Icmp-type:0;icmp-code:0;message_info:ICMP packet out of state
>
> Any ideas why this is happening and how I can resolve it?
>
> Thanks,
>
> Dennis
>
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of
> Lee, Jacob
> Sent: Thursday, September 29, 2005 9:17 AM
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: Re: [FW-1] RES: [FW-1] ICMP Packets
>
> The recommendation by Lindsay is a sound recommendation for your web
> servers.
>
> One other thing to consider when you create your icmp rules:
>
> If you have a UDP service that's above port 33434, you might have
> problems with some versions of Checkpoint... specifically FP3. If this
> is the case, then you will have to make sure your icmp rule is
> BELOW the
> rule of the permitted UDP > 33434 service.
>
> Hope this helps.
>
>
> -----Original Message-----
> From: Mailing list for discussion of Firewall-1
> [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM] On Behalf Of
> Maurit
> Pereira Fagundes
> Sent: Thursday, September 29, 2005 10:47 AM
> To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Subject: [FW-1] RES: [FW-1] ICMP Packets
>
> Thanks Lindsay.
>
> Yes,it is what i want. but what is the best practice recomended for
> this
> issue?
> I read that block icmp traffic sometimes can not be very good
> because of
> udp traffic. is this true?
>
> I dont want people in internet pinging my web servers.
>
> thanks again to all.
>
>
> -----Mensagem original-----
> De: Mailing list for discussion of Firewall-1
> [mailto:FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM]Em nome de Lindsay
> Hill
> Enviada em: quinta-feira, 29 de setembro de 2005 11:29
> Para: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
> Assunto: Re: [FW-1] ICMP Packets
>
>
> Normally you would have the global option turned off. You can then
> allow any specific ICMP that you do want (e.g. from your monitoring
> server) with the use of a normal rule.
>
> If you turn the option on in your global properties, it effectively
> just adds another rule. Go View -> Implied Rules to see the rules that
> are added. Better to turn it off, and explicitly define the rule
> youself. If the global option is turned off, and you don't have any
> rules allowing it, it will be dropped - which is what you want, yes?
>
> - Lindsay
>
>
> On 9/29/05, Maurit Pereira Fagundes <MAURIT AT fgv DOT br> wrote:
>
>> Hello all,
>>
>> In global properties there is an option: Accept ICMP requests. I want
>>
> to avoid that people in internet ping and run the tracerout command
> against my dmz servers.
>
>> what is the better way to do this? disabling this option in global
>>
> proterties or creating a rule base to do this? If i create a rule
> base i
> must disable this option in rule base?
>
>>
>> thanks in advance.
>>
>> =================================================
>> To set vacation, Out-Of-Office, or away messages,
>> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
>> in the BODY of the email add:
>> set fw-1-mailinglist nomail
>> =================================================
>> To unsubscribe from this mailing list,
>> please see the instructions at
>> http://www.checkpoint.com/services/mailing.html
>> =================================================
>> If you have any questions on how to change your
>> subscription options, email
>> fw-1-owner AT ts.checkpoint DOT com
>> =================================================
>>
>>
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
>
>
>
> ----------------------------------------------------------------------
> ------
> --
> This message is intended only for the personal and confidential use
> of the
> designated recipient(s) named above. If you are not the intended
> recipient
> of this message you are hereby notified that any review,
> dissemination,
> distribution or copying of this message is strictly prohibited. This
> communication is for information purposes only and should not be
> regarded as
> an offer to sell or as a solicitation of an offer to buy any financial
> product, an official confirmation of any transaction, or as an
> official
> statement of Lehman Brothers. Email transmission cannot be
> guaranteed to be
> secure or error-free. Therefore, we do not represent that this
> information
> is complete or accurate and it should not be relied upon as such. All
> information is subject to change without notice.
> --------
> IRS Circular 230 Disclosure:
> Please be advised that any discussion of U.S. tax matters contained
> within
> this communication (including any attachments) is not intended or
> written to
> be used and cannot be used for the purpose of (i) avoiding U.S. tax
> related
> penalties or (ii) promoting, marketing or recommending to another
> party any
> transaction or matter addressed herein.
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
> =================================================
> To set vacation, Out-Of-Office, or away messages,
> send an email to LISTSERV AT amadeus.us.checkpoint DOT com
> in the BODY of the email add:
> set fw-1-mailinglist nomail
> =================================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> =================================================
> If you have any questions on how to change your
> subscription options, email
> fw-1-owner AT ts.checkpoint DOT com
> =================================================
>
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
