FireWall-1 FAQ: How Do I Allow Only Ping and Traceroute Requests?
Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.
I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.
If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)
FireWall-1 versions prior to 4.0 do not perform stateful inspection of ICMP. In version 4.0 and later, FireWall-1 theoretically does stateful inspection of ICMP with the property enabled. However, I have seen/heard various reports about it not working correctly. If you do enable the ICMP property, enable it as “before last” and allow outbound ICMP explicitly in the rulebase.
In FireWall-1 NG, it’s even more annoying – you cannot disable stateful inspection of ICMP until NG AI.
The services you want to allow outbound (to the Internet) are: echo-request, traceroute
The services you want to allow inbound (from the Internet) are: echo-reply, time-exceeded, dest-unreach, param-prblm
Note that in version 4.0 and later, you will not need to explicitly allow the services inbound provided the “Enable ICMP” property is enabled per above, but you still will need to specify a rule to allow ICMP outbound.