Checkpoint - Deny traceroute through checkpoint firewall


I have a checkpoint ng r55. I allow a icmp (all types) connection:

Source Destination Service icmp permit

The host can ping Okay. When host traces the route to, it get a pesponse from the firewall internal and external interface!

Host\\> traceroute ok firewall_ip ok ok

I do not want that the hosts sees the firewall ip adresses. Can I configure the firewall to drop/reject the icmp (type 8 time exceeded) packet to the host??

I have tried to make an own rule:

Source Destination Service firewall_ip icmp (type 8) deny

alternative any icmp (all types) deny

The "fw monitor" shows me, that icmp packets type 8 flow from firewall_ip to host, although I have denied it...

Thanks in advance.

Reply to
Loading thread data ...

There is something called "stealth rule" , a rule where you put your fw as invisible meaning, it drops all traffic directed to it. (except ev. IPsec, control connections and so on but these are anyway implied rules at checkpoint, so no need to define them explicitely)

Reply to

Hmmm...thanks, but I don't where to set up the stealth rule? I think the stealth rule is not active or doesn't work.

Reply to

open your checkpoint installation Open Smartdashboard open help on search tab...enter stealth read the topic, its pretty explicit.

you can also setup a rule to specifically block (drop) ICMP, or just things like Ping, according to just how paranoid you want to be.

Reply to

Bjoern is alleged to have said in

Policy, global properties, uncheck accept ICMP to deny all, or set it to before last if you want to be able to deny specific types of ICMP.

Reply to
Rob Hughes Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.