[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW1] ICMP Type 3 packets getting through Rule 0

To: "Whittier, Doug" <Doug.Whittier@leg.bc.ca>, 'FW1' <fw-1-mailinglist@lists.us.checkpoint.com>
Subject: Re: [FW1] ICMP Type 3 packets getting through Rule 0
From: "Young, Roger" <youngr@erinet.com>
Date: Sat, 24 Apr 1999 17:33:42 -0400

Doug,

Most routers today contain packet filtering capability and such filetering
is generally used as a first line of defense in a security scenario. When
filtering, a router implementation may send ICMP messages indicating that
the datagram could not be forwarded for administrative reasons. This option
to notify back, if you will, can be toggled. Generally enabling this is not
a good idea, since it gives information back to a potential hostile entity.
So the question is if you are generating the source packet to a destination
through a router that has filtering turned on AND has enabled notification
(code 13) that it can't forward your requested packet. Could that be the
case? It may not be that anyone is fooling around with you, but you are
hitting a router that is configured (poorly in some respects) to block your
ping and at the same time telling you about it.

Roger

At 12:06 PM 4/23/99 -0700, Whittier, Doug wrote:
>
>Greetings:
>
>I am running FW-1 4.0.
>
>Since pretty much day one, the log has shown that certain ICMP packets
>are being intercepted and dropped.
>
>The log shows that these packets are 'icmp-type 3 icmp-code 3' and
>'icmp-type 3 icmp-code 13'
>
>Our policy properties has ICMP disabled, so I would expect these packets
>to be stopped by Rule 0 (the policy properties).
>
>However, they are being stopped by rule 4, which is our 'nothing touches
>the firewall object' rule. Presumably, then, these are not your standard
>ICMP packets.
>
>I looked on Phoneboy and found a list of ICMP codes. That's fine for the
>sake of definition, but it doesn't list the type 13 packet.
>
>I'd considered defining a new service for these packets based on port
>number (assuming that would be reasonable), but the log does not show
>the port number in the S_Port column.
>
>Does anyone have a bit more info as to what these packets are about and
>how I might better deal with them? Also, maybe they're nothing to worry
>about - I'm just concerned that they are getting through my Rule 0, so
>there must be something a little unusual about them.
>
>
>Cheers,
>
>Doug Whittier
>Legislative Assembly Computer Systems
>(250) 356-2280
>doug.whittier@leg.bc.ca
>
>
>
>============================================================================
>====
>     To unsubscribe from this mailing list, please see the instructions at
>               http://www.checkpoint.com/services/mailing.html
>============================================================================
>====

================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Prev by Date: [FW1] Re:
Next by Date: RE: [FW1] Upgrade path from Single Gateway License..
Prev by thread: Re: [FW1] ICMP Type 3 packets getting through Rule 0
Next by thread: [FW1] FW-1 and Cryptocards for HTTP and FTP
Index(es):
- Date
- Thread