ICMP Packets
SunScreen EFS 3.0 provides predefined services for screening ICMP packets including ping.
These services are built upon the icmp state engine and allow ICMP ping request-and-response exchange to occur between a Source and Destination system. Use the predefined service ping if you want to provide ping access.
The icmp state engine can also be used to create other services to pass ICMP messages of a specific type. Most of the common ICMP packets have entries in the predefined services.
The above rules allow Inside machines to ping Outside machines, but not vice versa. It also allows ICMP unreachable packets to be sent from Outside machines to Inside machines. Note that the ping service allows packets in two directions (ping-request packets from Source to Destination and ping-response packets from Destination to Source) while the icmp-unreach service only allows packets to flow in one direction (from Source to Destination).
- © 2010, Oracle Corporation and/or its affiliates