Specifications
Allowing ICMP Ping Requests
As a further example of setting up IP rules, it can be very useful to allow ICMP Ping requests to
flow through the Clavister Security Gateway. As discussed earlier, the CorePlus will drop any
traffic unless an IP rule explicitly allows it. Let us suppose that we wish to allow the pinging of
external hosts with the ICMP protocol by computers on the internal ge3_net network.
There can be several rule sets defined in CorePlus but there is only one rule set defined by
default and this is called main. To add a rule to it, first select Rules > IP Rule Sets > main from
the navigation tree.
The main rule set list contents are now displayed. Press the Add button and select IP Rule.
The properties for a new IP rule will appear and we can add a rule, in this case called
allow_ping_outbound.
The IP rule again has the NAT action and this is necessary if the protected local hosts have private
IP addresses. The ICMP requests will be sent out from the Clavister Security Gateway with the IP
address of the interface connected to the ISP as the source interface. Responding hosts will send
back ICMP responses to this single IP and CorePlus will then forward the response to the correct
private IP address.
Adding a Drop All Rule
The top-down nature of the IP rule set scanning has already been discussed earlier. If no
matching IP rule is found for a new connection then the default rule is triggered. This rule is
hidden and cannot be changed and its action is to drop all such traffic as well as generate a log
message for the drop.
In order to gain control over the logging of dropped traffic, it is recommended to create a drop
Chapter 3: CorePlus Configuration
43