[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [FW1] Accept ICMP vs. Accept "Last"

To: Thomas.Poole@gecits.ge.com
Subject: RE: [FW1] Accept ICMP vs. Accept "Last"
From: Lance Spitzner <lance@spitzner.net>
Date: Tue, 21 Mar 2000 11:25:33 -0600 (CST)
cc: fw-1-mailinglist@lists.us.checkpoint.com
In-Reply-To: <CD431AD34134D111B11A0060B06B2249021C5E90@msx07seusitscge.gecits.ge.com>
Sender: owner-fw-1-mailinglist@lists.us.checkpoint.com


On Tue, 21 Mar 2000 Thomas.Poole@gecits.ge.com wrote:

> either way you do it, acceptICMP means it will be handled at the policy
> property level
> 
> 1) First means icmp will be passed before it hits ANY rules.
> 2) Before last is before your cleanup rule (so it won;t be logged)
> 3) Last is after all your defined rules. 
> 
> I wouldn't suggest setting it to first. Tailor for what you need. 
> 
> You can also uncheck the implied policy and make sure own rule.

Any way you look at it, by default CheckPoint FW-1 does not
statefully inspect ICMP (at least that I know of).  For an
such an expenisve product, I find this fact disappointing.

-Lance



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================

Follow-Ups:
- RE: [FW1] Accept ICMP vs. Accept "Last"
  - From: Chris Brenton <cbrenton@sover.net>

References:
- RE: [FW1] Accept ICMP vs. Accept "Last"
  - From: Thomas.Poole@gecits.ge.com

Prev by Date: RE: [FW1] !!!!! OFF TOPIC
Next by Date: Re: [FW1] SNMP traps from a FW
Prev by thread: RE: [FW1] Accept ICMP vs. Accept "Last"
Next by thread: RE: [FW1] Accept ICMP vs. Accept "Last"
Index(es):
- Date
- Thread