allowing icmp redirect

[compubear]

Hello,

I'm running Checkpoint Express on linux, with NGX (R60) and have an issue whereby I _need_ to allow icmp redirect, I've already made a rule to allow ICMP type 5, however in smartview tracker I'm seeing that ICMP redirects are still being blocked.
Am I missing something, or is it just not allowed.

Regards.

[simon]

You need to enable the global kernel variable "fw_icmp_redirects".

You can do this by editing the file "$FWDIR/boot/modules/fwkern.conf".

Simply add the following line:
fw_icmp_redirects=1

Then reboot your system.

Regards,
Simon

[compubear]

Hello Simon,

Thanks, however I had already done that and rebooted my device. ICMP redirects unfortunately are still being blocked.

Regards.

[simon]

Hello compubear,

at this point some more details are needed to help you fixing the problem.

Should the firewall send icmp redirects, should it receive them, are you running a cluster, is it a secure platform linux or redhat?

Regards,
Simon

[compubear]

Hello Simon,

I'm running Redhat Enterprise 3.2.3-52, this is the latest software that came for our device which is a SecureGuard.

The Secureguard in our network is intended for VPN traffic to a remote office, and we do not wish to use it as a gateway (although it can definitely do it).

We have another gateway (Gateway2) which has a separate internet connection for our users.

At times however, our users may need to communicate with the remote office so what I did was add a static route on Gateway2 to redirect traffic intended for the remote office to go through the Secureguard.

However, with a simple ping, I'm getting in the region of 47% packet loss to our remote office, I'm also getting a fair amount of entries similar to the one below:
"Number: 20099
Date: 18May2006
Time: 17:31:01
Product: VPN-1 Pro/Express
Interface: eth0
Origin: sgvpn (192.168.0.254)
Type: Log
Action: Drop
Protocol: icmp
Source: sgvpn (192.168.0.254)
Destination: 192.169.0.10
Information: ICMP: Host Redirect
ICMP Type: 5
ICMP Code: 1
message_info: ICMP redirect packets are not allowed"
If however I do point the local machines (which are running windows XP SP2 by the way) I get no packetloss when I do a 10000 ping test and I can connect to the remote network with no problems whatsoever.

192.168.0.10 is a local machine, 192.168.0.254 is the Secureguard and 192.168.0.250 is Gateway2.

I can write a simple batch script which can add/delete the routes to the remote network on the machines, however, I needed a solution that was non intrusive as possible to our users.

Regards, and thanks much.
cbear.

[compubear]

I had my fwkern.conf file in the wrong folder, put it in the correct one, rebooted my machine and everything is now sorted.

Regards,
cbear.