Re: [FW1] Stateful ICMP

["Wolfram Schmidt" <Wolfram.Schmidt@iao.fhg.de>]

On Mar 19, 12:49, Lance Spitzner wrote:
> Subject: [FW1] Stateful ICMP
>
> Has anyone gotten stateful ICMP to work on 4.1?

Is this the same as in 4.0? I can only speak for 4.0.
If yes, you have to allow the return packets as well.

>
> The trick of "enable ICMP Last" in the properties menu
> doesn't work for me.  The return ICMP traffic is dropped,
> and I never see anything in the connections table.

It is table "icmp_requests".

"Accept ICMP" is too permissive IMO, but you need it th make ICMP stateful
(and for encryption, it seems). Therefore I have "Accept ICMP" "Last" -
after my drop anything cleanup rule. This disables the "Accept" part but
enables the stateful inspection. The ICMP packets I want to be able to
pass the firewall are defined explicitly in the ruleset.

The statefullnes of ICMP is somewhat different from the statefullness of
TCP/UDP. ICMP packets which are replies (i. e. echo reply or error packets
for tcp or udp connections) are checked if the corresponding connection
exists and dropped if not. Then they are checked against the rulebase.


Regards

-Wolfram



-- 
Email: Wolfram.Schmidt@iao.fhg.de
Voice: +49 711 970 2431
Fax: +49 711 970 2401
Office: Fraunhofer IAO, Holzgartenstr. 17, 70174 Stuttgart, Germany


================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================