[j-nsp] ICMP unreachable and mask reply - assistance required to check these features

Sun Jan 1 21:31:29 EST 2012

Hi Group

I have 2 questions here if you can assist please

1 - I want to block ICMP Traffic type (mask reply and 
unreachable) from our internet router to enter into our production 
environment. I have sorted out the required firrewall filters but not 
sure how can I generate ICMP traffic to check if the same filters are 
blocking traffic in question or not and how much resources are these 
filters taking at the same time ?

firewall {
    filter A {
        term 1 {
            from {
                protocol icmp;
                icmp-type mask-request;
            }
            then {
                count mask-req;
                log;
                discard;
            }
        }
        term 2 {
            from {
                protocol icmp;
                icmp-type mask-reply;
            }
            then {
                count mask-rep;
                log;
                discard;
            }
        }
        term 3 {
            from {
                protocol icmp;
                icmp-type unreachable;
            }
            then {
                count unreach;
                log;
                discard;
            }
        }
        term default {
            then accept;
        }
    }
}

2 - I have 3 x J6350 (10.0R3.10) in test environment along with 6 x 
EX-4200-48T (10.4R5.5) but there is no server or workstation connected with these devices from where I can generate ICMP traffic by using 
utility like hping ? I am working from a remote location and I have no assistance available at the moment in order to connect any device physically on site.

Looking forward for your kind advice/feedback.  

Many Thanks
HM