It's always a good idea to disable pings from the outside to your internal
network. I don't mean to discourage anyone from doing so, but...
> # route add -net 192.168.0.0 netmask 255.255.255.0 gw 100.100.100.100
This only works if you are on the 100.100.100 network, i.e. one hop way. Won't
work all the way across the Internet. Have you tried it with source-routing?
> Solution is easy ... do not let pings to internal network.
Please do. Does Watchguard give you some flexibility about what ICMP to let
in? I.e. can you shut off the pings in, but still leave on ICMP unreachables,
in order to not break path MTU discovery? Does it do the stateful thing and
let ICMP echo replies in only if a request was sent, etc?
ICMP is also one of the many interesting things that Firewall-1 leaves on by
default. Newbie FW-1 admins usually don't know to go through the properties
screen and disable all the things on by default.
Ryan
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:01:50 PDT