1. Home
  2. Networking Firewalls
  3. Checkpoint - Deny traceroute through checkpoint firewall

Checkpoint - Deny traceroute through checkpoint firewall

Hello,

I have a checkpoint ng r55. I allow a icmp (all types) connection:

Source Destination Service

10.1.1.1 20.2.2.2 icmp permit

The host 10.1.1.1 can ping 20.2.2.2. Okay. When host 10.1.1.1 traces the route to 20.2.2.2, it get a pesponse from the firewall internal and external interface!

Host 10.1.1.1\\> traceroute 20.2.2.2

10.1.1.1 ok firewall_ip ok 20.2.2.2 ok

I do not want that the hosts sees the firewall ip adresses. Can I configure the firewall to drop/reject the icmp (type 8 time exceeded) packet to the host??

I have tried to make an own rule:

Source Destination Service firewall_ip 10.1.1.1 icmp (type 8) deny

alternative any 10.1.1.1 icmp (all types) deny

The "fw monitor" shows me, that icmp packets type 8 flow from firewall_ip to host 10.1.1.1, although I have denied it...

Thanks in advance.

Reply to
Bjoern
Loading thread data ...

There is something called "stealth rule" , a rule where you put your fw as invisible meaning, it drops all traffic directed to it. (except ev. IPsec, control connections and so on but these are anyway implied rules at checkpoint, so no need to define them explicitely)

Reply to
Observer

Hmmm...thanks, but I don't where to set up the stealth rule? I think the stealth rule is not active or doesn't work.

Reply to
Bjoern

open your checkpoint installation Open Smartdashboard open help on search tab...enter stealth read the topic, its pretty explicit.

you can also setup a rule to specifically block (drop) ICMP, or just things like Ping, according to just how paranoid you want to be.

Reply to
Beoweolf

Bjoern is alleged to have said in comp.security.firewalls:

Policy, global properties, uncheck accept ICMP to deny all, or set it to before last if you want to be able to deny specific types of ICMP.

Reply to
Rob Hughes

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.