Take a look at the properties tab (platform depends on location). Then look
at Enable ICMP. This setting is called rule "zero". The setting allows
First, before last, and last. I believe it defaults to first. If the
firewall rule base is any----any---drop for the last rule, then the rule
will allow ICMP before it looks at the last rule. If the setting is set to
last, then the ICMP rule in the properties tab will be the last rule in the
> From: Rafeeq Ur Rehman <rehman @
> To: Dave Sroelov <dsroelov @
> Cc: fw-1-mailinglist @
com; firewalls @
> Subject: Re: strange behavior
> Date: Thursday, February 13, 1997 12:35 AM
> On Wed, 12 Feb 1997, Dave Sroelov wrote:
> > being somewhat new to FW-1 i have come across something that is a
> > strange. if i set up a policy with one rule that says to reject all
> > packet types from source=any to destination=any and log everything, why
> > does ping still work?
> > if i specifically add a rule to block icmp packets then ping stops. i
> > would think that blocking 'all' packet types would block everything
> > FW-1 knows about, and it knows about icmp.
> If you have an application level firewall, it may not stop icmp.
> Rafeeq Ur Rehman
> rehman @