Yes, it should work with (2) and (3), but why enable ICMP from properties if
you use rules ?
> Francis THELLIER
>
> -----Message d'origine-----
> De: D H [SMTP:[EMAIL PROTECTED]]
> Date: mercredi 28 juin 2000 19:01
> �: [EMAIL PROTECTED]
> Objet: [FW1] Stateful inspection of icmp
>
>
> I am using FW-1 v4.0 sp 3, and I'm having a problem with the stateful
> inspection of ICMP (which should work in version 4.0 according to
> phoneboy).
>
> I want to allow only outbound ping (i.e. to the Internet), and as I
> understand it, it should work if the FW is configured as follows:
> (1) The "Accept ICMP" property is enabled and "Last" (i.e. after my
> explicit
> drop rule)
> (2) I allow outbound (to the Internet) services: echo-request
>
> But, the replies are being dropped by the FW. As a work-arround:
> (3) I allow inbound (from the Internet) services: echo-reply,
> time-exceeded,
> dest-unreach.
>
> Shouldn't it work without (3)?
> If so, any ideas what it might be?
>
> -- DH
>
> ________________________________________________________________________
> Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
>
>
>
> ==========================================================================
> ======
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ==========================================================================
> ======
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
