Based on the existing code of Checkpoint, I have implemented as an example a stateful version of ping. Stateful ping mean that an ICMP echo-reply will be accepted *only* if the FW-1 have seen before an ICMP echo-request, if the src<>dst match the dst<>src and if the icmp-id and icmp-seq match in both message. Also, we limit echo-reply to *one* message for each echo-request. As an option, it can also enable ICMP errors messages to fly through your FW-1 if they are related to an existing TCP/UDP or ICMP connection. Their size is also limited. See http://yassp.parc.xerox.com/fw1 for more detail. jean ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
