[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW1] Stateful ICMP
Change the property to last so that it never fires. If you leave it at
before last then you are still allowing ICMP fully. Move it to last behind
the drop rule and then try and see what happens. I haven't tried this yet
so
let me know what happens.
----- Original Message -----
> Lance Spitzner <lance@spitzner.net> on 03/19/2000 01:49:14 PM
> Please respond to Lance Spitzner <lance@spitzner.net>
> To: fw-1-mailinglist@lists.us.checkpoint.com
> cc:
> Subject: [FW1] Stateful ICMP
>
>
>
>
>
> Has anyone gotten stateful ICMP to work on 4.1?
>
> The trick of "enable ICMP Last" in the properties menu
> doesn't work for me. The return ICMP traffic is dropped,
> and I never see anything in the connections table.
> There is an intriguing entry in /etc/fw/lib/table.def.
>
> /*****************
> * STATEFUL ICMP *
> *****************/
> #ifdef STATEFUL_ICMP
> icmp_connections = dynamic sync refresh expires TCP_START_TIMEOUT;
> icmp_requests = { ICMP_ECHO, ICMP_TSTAMP, ICMP_IREQ, ICMP_MASKREQ };
> icmp_replies = {
> ICMP_ECHOREPLY,ICMP_TSTAMPREPLY,ICMP_IREQREPLY,ICMP_MASKREPLY};
> icmp_errors = {
> ICMP_UNREACH,ICMP_SOURCEQUENCH,ICMP_TIMXCEED,ICMP_PARAMPROB,ICMP_REDIRECT
> };
> #endif
>
> However, I cannot crack the code on how to make ICMP truly statefull.
> Pointers greatly appreciated.
>
> Thanks
>
> Lance Spitzner
> http://www.enteract.com/~lspitz/papers.html
>
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
|
