Proper Way to Pass ICMP Through Firewall-1?

From: Will (
Date: 04/28/05

Date: Wed, 27 Apr 2005 23:20:56 -0700

What is the correct rule to use to allow ICMP packets to pass through a
Checkpoint Firewall-1 firewall? If you have two segments behind a
firewall, and you have a rule to allow all hosts behind one of the segments
to ICMP all hosts on the other segment, how do you set up the rule?

I set a rule to allow the host group for the source segment to ICMP to the
host group for the destination segment. The firewall log shows an Accept
when an ICMP travels from the source to the destination. But the return
ICMP packet never arrives back to the source. I then tried to set a
second rule to allow ICMP from the destination back to the source. This
made no difference. There is no error packet in the log anywhere around
the Accept for ICMP, so whatever is failing is doing so in a way that is
invisible to the firewall log.

I am trying to avoid the "Allow ICMP" setting on the Properties dialog
because it seems far too permissive. I want to find a more strictly
correct way to enable specific ICMPs, using just the ruleset, and I want all
ICMP traffic to be visible in the log.


Relevant Pages

  • Re: Strange PPPoe problem
    ... The new service uses PPPoe - not a problem, or so I thought - I ... have PPPoe on my firewall. ... And if I do PPPoe on the provided D-Link router, ... like icmp 3/4 packets are being dropped somewhere. ...
  • Re: network problems 7.0-p3: sendto: Operation not permitted
    ... This usually indicates firewall rules on the local machine, ... This indicates a high number of ICMP packets being received. ... 1 into my cable modem and nother into a linksys 16port vpn router. ... 01:47:12.196000 arp who-has tell ...
  • Re: ICMP timestamp request is allowed from arbitrary hosts
    ... There is no registry entry that specifically blocks individual ICMP types on ... enable the Windows Firewall on the XP machines and configure the rules to do ... Point is Windows XP has the ...
  • Re: Am I being hacked?
    ... > incoming TCP packets are 'Allowed' on those ports. ... The term "stealth" is misleading. ... The online services that claim to test your firewall can be misleading ... but block normal ICMP echo requests. ...
  • iptables troubles
    ... I am trying to get a firewall running, but I am no networking expert. ... # ICMP Host-unreachable deny ... # We dont want ICMP Dead Errors ...