Checkpoint - Deny traceroute through checkpoint firewall

Checkpoint - Deny traceroute through checkpoint firewall

Post by Bjoer » Wed, 11 Aug 2004 22:27:15


Hello,

I have a checkpoint ng r55. I allow a icmp (all types) connection:

Source Destination Service
10.1.1.1 20.2.2.2 icmp permit

The host 10.1.1.1 can ping 20.2.2.2. Okay.
When host 10.1.1.1 traces the route to 20.2.2.2, it get a pesponse from
the firewall internal and external interface!

Host 10.1.1.1\> traceroute 20.2.2.2

10.1.1.1 ok
firewall_ip ok
20.2.2.2 ok

I do not want that the hosts sees the firewall ip adresses. Can I
configure the firewall to drop/reject the icmp (type 8 time exceeded)
packet to the host??

I have tried to make an own rule:

Source Destination Service
firewall_ip 10.1.1.1 icmp (type 8) deny

alternative
any 10.1.1.1 icmp (all types) deny

The "fw monitor" shows me, that icmp packets type 8 flow from
firewall_ip to host 10.1.1.1, although I have denied it...

Thanks in advance.
 
 
 

Checkpoint - Deny traceroute through checkpoint firewall

Post by Observe » Wed, 11 Aug 2004 22:54:51

There is something called "stealth rule" , a rule where you put your fw as
invisible meaning, it drops all traffic directed to it. (except ev. IPsec,
control connections and so on but these are anyway implied rules at
checkpoint, so no need to define them explicitely)

 
 
 

Checkpoint - Deny traceroute through checkpoint firewall

Post by Bjoer » Thu, 12 Aug 2004 14:48:04


Hmmm...thanks, but I don't where to set up the stealth rule? I think the
stealth rule is not active or doesn't work.
 
 
 

Checkpoint - Deny traceroute through checkpoint firewall

Post by Beoweol » Fri, 13 Aug 2004 02:48:22

open your checkpoint installation
Open Smartdashboard
open help
on search tab...enter stealth
read the topic, its pretty explicit.

you can also setup a rule to specifically block (drop) ICMP, or just things
like Ping, according to just how paranoid you want to be.





as
IPsec,




---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system ( http://www.yqcomputer.com/ ).
Version: 6.0.734 / Virus Database: 488 - Release Date: 8/4/2004
 
 
 

Checkpoint - Deny traceroute through checkpoint firewall

Post by Rob Hughe » Sat, 14 Aug 2004 05:30:35

Bjoern is alleged to have said in comp.security.firewalls:


Policy, global properties, uncheck accept ICMP to deny all, or set it to
before last if you want to be able to deny specific types of ICMP.

--
Recursion: n. See Recursion.
 
 
 

Checkpoint - Deny traceroute through checkpoint firewall

Post by Bjoern Pot » Wed, 18 Aug 2004 17:00:47


Thanks for the hint. But it is already checked.

There is an implied rule (View-> Implied rules): Source=local machine
destination=any action=allow

I cannot modify this rule and cannot add an implied rule manually...
 
 
 

Checkpoint - Deny traceroute through checkpoint firewall

Post by Rob Hughe » Thu, 19 Aug 2004 11:25:49

Bjoern Potschien is alleged to have said in comp.security.firewalls:


Uncheck allow outgoing packets from firewall.

--
Recursion: n. See Recursion.