Proper Way to Pass ICMP Through Firewall-1?

What is the correct rule to use to allow ICMP packets to pass through a Checkpoint Firewall-1 firewall? If you have two segments behind a firewall, and you have a rule to allow all hosts behind one of the segments to ICMP all hosts on the other segment, how do you set up the rule?

I set a rule to allow the host group for the source segment to ICMP to the host group for the destination segment. The firewall log shows an Accept when an ICMP travels from the source to the destination. But the return ICMP packet never arrives back to the source. I then tried to set a second rule to allow ICMP from the destination back to the source. This made no difference. There is no error packet in the log anywhere around the Accept for ICMP, so whatever is failing is doing so in a way that is invisible to the firewall log.

I am trying to avoid the "Allow ICMP" setting on the Properties dialog because it seems far too permissive. I want to find a more strictly correct way to enable specific ICMPs, using just the ruleset, and I want all ICMP traffic to be visible in the log.

Reply to
Will
Loading thread data ...

Hmm,

Some thoughts

  • What types of ICMP are you allowing thru ?
  • Does the remote servers have a destination gateway other than the firewall (IP routing loop?) This will break stateful inspection
  • Stateful inspection - you should not need a second rule to allow traffic back to the orginating hosts.
  • Does the remote workstaions have the correct gateway?
  • Does other connectivity work? FTP/HTTP etc ?
Reply to
jag456

It ended up being a routing problem on the target device.

And I *did* need to have two symmetric rules on the firewall, authorizing the transit of ICMP packets in both directions. For whatever reason, the firewall was not maintaining stateful inspection of ICMP, unlike other protocols.

Reply to
Will

Thanks for this information. In an ideal case, how would you like to see a firewall handle ICMP filtering?

Reply to
Will

Because there is no such thing like stateful filtering of ICMP. Well there are some cases where you can think of stateful handling (echo-request and echo-reply) but not in general. And if you want to filter ICMP correctly you have to have knowledge about ICMP.

ICMP is a major problem in most firewall appliances nowadays. E.g. the Linksys WRT-boxes are very nice (and cheap), but you are unable to handle ICMP properly. For me that is the main reason to remove the Linksys firmware and install Openwrt.

I have seen so many bad or useless packet filters that makes me believe that none of the implementors knows nothing about ICMP. That's a nightmare.

OTOH, Check Point is an exception and the way they allow you to handle ICMP is O.K. for me.

cu, Wolfgang

Reply to
Wolfgang Zweimueller

To let the admin decide which packets are permitted to get through.

For example, Cisco's IOS handles it this way:

access-list 100 permit icmp any any echo access-list 100 permit icmp any any echo-reply access-list 100 permit icmp any any administratively-prohibited access-list 100 permit icmp any any unreachable access-list 100 permit icmp any any time-exceeded access-list 100 permit icmp any any packet-too-big access-list 100 permit icmp any any traceroute

You cann apply this access list to specific interfaces *and* directions (incoming or outgoing). I think this is a good implementation.

cu, Wolfgang

Reply to
Wolfgang Zweimueller

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.