[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewall-1
Subject:    Re: [FW-1] ICMP Packets
From:       Joe Matusiewicz <joem () NIST ! GOV>
Date:       2005-09-29 16:04:45
Message-ID: 5.1.0.14.2.20050929120034.027d78e0 () 129 ! 6 ! 16 ! 94
[Download RAW message or body]

At 08:35 AM 9/29/2005, Maurit Pereira Fagundes wrote:
>Hello all,
>
>In global properties there is an option: Accept ICMP requests. I want to 
>avoid that people in internet ping and run the tracerout command against 
>my dmz servers.
>what is the better way to do this? disabling this option in global 
>proterties or creating a rule base to do this? If i create a rule base i 
>must disable this option in rule base?

I create a group called icmp_allow that contains echo request, 
time-exceeded, and dest-unreach.  All the rest of the icmp services go into 
a group called icmp_deny.  This way I can allow ping and traceroutes 
outbound and deny them inbound.

HTH,

-- Joe
  

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV@amadeus.us.checkpoint.com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner@ts.checkpoint.com
=================================================
[prev in list] [next in list] [prev in thread] [next in thread]