FW-1 gateway sends ICMP packets

From: lolofe (lolofe@email.com)
Date: 05/29/02

• Next message: Da Guul: "Re: Smoothwall 0.9.9 and Zyxel 642R ADSL PortForwad?"
• Previous message: : "Opening a Port on Linksys BEFW11S4"
• Next in thread: : "Re: FW-1 gateway sends ICMP packets"
• Reply: : "Re: FW-1 gateway sends ICMP packets"
• Reply: Eirik Seim: "Re: FW-1 gateway sends ICMP packets"
• Reply: : "Re: FW-1 gateway sends ICMP packets"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: lolofe@email.com (lolofe)
Date: 29 May 2002 11:26:01 -0700

I have an issue with a FW-1 gateway sending ICMP 'TTL exceeded'
packets, while I don't want such packets to be sent to the Internet.

Consider the following security policy on
Checkpoint FW-1 4.1 SP3, Windows NT4 :

1-) the only implied rule enabled : "accept outgoing packets
originating from gateway"

2-) gateway rules are applied eitherbound

3-) firewall rules strictly minimize ICMP traffic :
     . accept echo requests from the inside (from the protected DMZ)
     . accept echo replies from the outside (from internet)
     . other ICMP traffic is dropped

4-) open ports on the firewall gateway are filtered and cannot be seen
from the outside.

So, the firewall gateway is not supposed to send or relay ICMP 'TTL
exceeded' packets.

But, consider forging the following packet from Internet :

- TCP packet
- dest IP : the IP address of a machine within the DMZ
- dest port : an allowed port on the machine within the DMZ
- TTL : the exact HOP number of the firewall gateway
- options : SYN

This TCP packet will reach the firewall gateway, with a TTL equal to
0.
Then, I observe that
  *** the firewall will send in return an ICMP packet 'TTL exceeded'
***

So my question is : how can I prevent the firewall gateway from
sending such an ICMP packet to the originating host ? Is it related to
point 1-) ?

Thanks

---

• Next message: Da Guul: "Re: Smoothwall 0.9.9 and Zyxel 642R ADSL PortForwad?"
• Previous message: : "Opening a Port on Linksys BEFW11S4"
• Next in thread: : "Re: FW-1 gateway sends ICMP packets"
• Reply: : "Re: FW-1 gateway sends ICMP packets"
• Reply: Eirik Seim: "Re: FW-1 gateway sends ICMP packets"
• Reply: : "Re: FW-1 gateway sends ICMP packets"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages FW-1 gateway sends ICMP packets ... I have an issue with a FW-1 gateway sending ICMP 'TTL exceeded' ... the firewall gateway is not supposed to send or relay ICMP 'TTL ... consider forging the following packet from Internet: ... (comp.security.firewalls) Re: pings ... some of the ICMP packets, look at the IP header and read the TTL value. ... This will usually tell you how many routers the packet has crossed to ... has anyone received any of such pings ... (Security-Basics) Re: Changing TTL of incoming packets? ... if the TTL is 1 the gateway will drop the packet and the host will get ... Can I change the TTL of packets from 1 to, say, 2 in order to avoid this problem? ... If you are the gateway, ... (microsoft.public.win32.programmer.networks) Re: Netscreen 204 IPSEC problem ... >and if the total size of the packet bigger than allowed MTU of the netscreen ... firewall didn't received the ICMP type 3 code 4: ... When a gateway receive a packet which is too big, ... by replying with icmp type 3 code 4 (Path MTU Discovery). ... (comp.security.firewalls) Re: Changing TTL of incoming packets? ... the gateway is running on the same machine as my program. ... receives a packet it usually has to forward it to the host that's waiting for it. ... if the TTL is 1 the gateway will drop the packet and the host will get nothing. ... (microsoft.public.win32.programmer.networks)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.security.firewalls  > 2002-10