mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-11 08:51:13 +01:00
334 lines
12 KiB
XML
334 lines
12 KiB
XML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||
|
<article>
|
||
|
<articleinfo>
|
||
|
<title>ICMP Echo-request (Ping)</title>
|
||
|
|
||
|
<authorgroup>
|
||
|
<author>
|
||
|
<firstname>Tom</firstname>
|
||
|
|
||
|
<surname>Eastep</surname>
|
||
|
</author>
|
||
|
</authorgroup>
|
||
|
|
||
|
<pubdate>2004-01-03</pubdate>
|
||
|
|
||
|
<copyright>
|
||
|
<year>2001-2004</year>
|
||
|
|
||
|
<holder>Thomas M. Eastep</holder>
|
||
|
</copyright>
|
||
|
|
||
|
<legalnotice>
|
||
|
<para>Permission is granted to copy, distribute and/or modify this
|
||
|
document under the terms of the GNU Free Documentation License, Version
|
||
|
1.2 or any later version published by the Free Software Foundation; with
|
||
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||
|
Texts. A copy of the license is included in the section entitled
|
||
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||
|
</legalnotice>
|
||
|
</articleinfo>
|
||
|
|
||
|
<note>
|
||
|
<para>Shorewall <quote>Ping</quote> management has evolved over time with
|
||
|
the latest change coming in Shorewall version 1.4.0. To find out which
|
||
|
version of Shorewall you are running, at a shell prompt type
|
||
|
<quote><command>/sbin/shorewall version</command></quote>. If that command
|
||
|
gives you an error, it's time to upgrade since you have a very old
|
||
|
version of Shorewall installed (1.2.4 or earlier).</para>
|
||
|
</note>
|
||
|
|
||
|
<note>
|
||
|
<para>Enabling <quote>ping</quote> will also enable ICMP-based
|
||
|
<emphasis>traceroute</emphasis>. For UDP-based traceroute, see the <ulink
|
||
|
url="ports.htm">port information page</ulink>.</para>
|
||
|
</note>
|
||
|
|
||
|
<section>
|
||
|
<title>Shorewall Versions >= 2.0.0</title>
|
||
|
|
||
|
<para>In Shoreall 1.4.0 and later version, ICMP echo-request's are
|
||
|
treated just like any other connection request.</para>
|
||
|
|
||
|
<para>In order to accept ping requests from zone z1 to zone z2 where the
|
||
|
policy for z1 to z2 is not ACCEPT, you need a rule in
|
||
|
<filename>/etc/shoreall/rules</filename> of the form:</para>
|
||
|
|
||
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||
|
AllowPing z1 z2</programlisting>
|
||
|
|
||
|
<example>
|
||
|
<title>Ping from local zone to firewall</title>
|
||
|
|
||
|
<para>To permit ping from the local zone to the firewall:</para>
|
||
|
|
||
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||
|
AllowPing loc fw</programlisting>
|
||
|
</example>
|
||
|
|
||
|
<para>If you would like to accept <quote>ping</quote> by default even when
|
||
|
the relevant policy is DROP or REJECT, modify /etc/shorewall/action.Drop
|
||
|
or /etc/shorewall/action.Reject respectively and simply add the line:</para>
|
||
|
|
||
|
<programlisting>AllowPing</programlisting>
|
||
|
|
||
|
<para>With that rule in place, if you want to ignore <quote>ping</quote>
|
||
|
from z1 to z2 then you need a rule of the form:</para>
|
||
|
|
||
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||
|
DropPing z1 z2</programlisting>
|
||
|
|
||
|
<example>
|
||
|
<title>Silently drop pings from the Internet</title>
|
||
|
|
||
|
<para>To drop ping from the internet, you would need this rule in
|
||
|
/etc/shorewall/rules:</para>
|
||
|
|
||
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||
|
DropPing net fw</programlisting>
|
||
|
</example>
|
||
|
|
||
|
<para>Note that the above rule may be used without changing the action
|
||
|
files to prevent your log from being flooded by messages generated from
|
||
|
remote pinging.</para>
|
||
|
</section>
|
||
|
|
||
|
<section>
|
||
|
<title>Shorewall Versions >= 1.4.0</title>
|
||
|
|
||
|
<para>In Shoreall 1.4.0 and later version, ICMP echo-request's are
|
||
|
treated just like any other connection request.</para>
|
||
|
|
||
|
<para>In order to accept ping requests from zone z1 to zone z2 where the
|
||
|
policy for z1 to z2 is not ACCEPT, you need a rule in
|
||
|
<filename>/etc/shoreall/rules</filename> of the form:</para>
|
||
|
|
||
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||
|
ACCEPT z1 z2 icmp 8</programlisting>
|
||
|
|
||
|
<example>
|
||
|
<title>Ping from local zone to firewall</title>
|
||
|
|
||
|
<para>To permit ping from the local zone to the firewall:</para>
|
||
|
|
||
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||
|
ACCEPT loc fw icmp 8</programlisting>
|
||
|
</example>
|
||
|
|
||
|
<para>If you would like to accept <quote>ping</quote> by default even when
|
||
|
the relevant policy is DROP or REJECT, create /etc/shorewall/icmpdef if it
|
||
|
doesn't already exist and in that file place the following command:</para>
|
||
|
|
||
|
<programlisting>run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT</programlisting>
|
||
|
|
||
|
<para>With that rule in place, if you want to ignore <quote>ping</quote>
|
||
|
from z1 to z2 then you need a rule of the form:</para>
|
||
|
|
||
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||
|
DROP z1 z2 icmp 8</programlisting>
|
||
|
|
||
|
<example>
|
||
|
<title>Silently drop pings from the Internet</title>
|
||
|
|
||
|
<para>To drop ping from the internet, you would need this rule in
|
||
|
/etc/shorewall/rules:</para>
|
||
|
|
||
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||
|
DROP net fw icmp 8</programlisting>
|
||
|
</example>
|
||
|
|
||
|
<para>Note that the above rule may be used without any additions to
|
||
|
/etc/shorewall/icmpdef to prevent your log from being flooded by messages
|
||
|
generated from remote pinging.</para>
|
||
|
</section>
|
||
|
|
||
|
<section>
|
||
|
<title>Shorewall Versions >= 1.3.14 and < 1.4.0 with
|
||
|
OLD_PING_HANDLING=No in /etc/shorewall/shorewall.conf</title>
|
||
|
|
||
|
<para>In 1.3.14, Ping handling was put under control of the rules and
|
||
|
policies just like any other connection request. In order to accept ping
|
||
|
requests from zone z1 to zone z2 where the policy for z1 to z2 is not
|
||
|
ACCEPT, you need a rule in /etc/shoreall/rules of the form:</para>
|
||
|
|
||
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||
|
ACCEPT z1 z2 icmp 8</programlisting>
|
||
|
|
||
|
<example>
|
||
|
<title>Ping from local zone to firewall</title>
|
||
|
|
||
|
<para>To permit ping from the local zone to the firewall:</para>
|
||
|
|
||
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||
|
ACCEPT loc fw icmp 8</programlisting>
|
||
|
</example>
|
||
|
|
||
|
<para>If you would like to accept <quote>ping</quote> by default even when
|
||
|
the relevant policy is DROP or REJECT, create /etc/shorewall/icmpdef if it
|
||
|
doesn't already exist and in that file place the following command:</para>
|
||
|
|
||
|
<programlisting>run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT</programlisting>
|
||
|
|
||
|
<para>With that rule in place, if you want to ignore <quote>ping</quote>
|
||
|
from z1 to z2 then you need a rule of the form:</para>
|
||
|
|
||
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||
|
DROP z1 z2 icmp 8</programlisting>
|
||
|
|
||
|
<example>
|
||
|
<title>Silently drop pings from the Internet</title>
|
||
|
|
||
|
<para>To drop ping from the internet, you would need this rule in
|
||
|
/etc/shorewall/rules:</para>
|
||
|
|
||
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||
|
DROP net fw icmp 8</programlisting>
|
||
|
</example>
|
||
|
|
||
|
<para>The above rule may be used without any additions to
|
||
|
/etc/shorewall/icmpdef to prevent your log from being flooded by messages
|
||
|
generated from remote pinging.</para>
|
||
|
|
||
|
<note>
|
||
|
<para>There is one exception to the above description. In 1.3.14 and
|
||
|
1.3.14a, ping from the firewall itself is enabled unconditionally. This
|
||
|
suprising <quote>feature</quote> was removed in version 1.4.0.</para>
|
||
|
</note>
|
||
|
</section>
|
||
|
|
||
|
<section>
|
||
|
<title>Shorewall Versions < 1.3.14 or with OLD_PING_HANDLING=Yes in
|
||
|
/etc/shorewall/shorewall.conf</title>
|
||
|
|
||
|
<para>There are several aspects to the old Shorewall Ping management:</para>
|
||
|
|
||
|
<orderedlist>
|
||
|
<listitem>
|
||
|
<para>The <emphasis role="bold">noping</emphasis> and <emphasis
|
||
|
role="bold">filterping</emphasis> interface options in <ulink
|
||
|
url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink>.</para>
|
||
|
</listitem>
|
||
|
|
||
|
<listitem>
|
||
|
<para>The <emphasis role="bold">FORWARDPING</emphasis> option in
|
||
|
<ulink url="Documentation.htm#Config">/etc/shorewall/shorewall.conf</ulink>.</para>
|
||
|
</listitem>
|
||
|
|
||
|
<listitem>
|
||
|
<para>Explicit rules in <ulink url="Documentation.htm#rules">/etc/shorewall/rules</ulink>.</para>
|
||
|
</listitem>
|
||
|
</orderedlist>
|
||
|
|
||
|
<para>There are two cases to consider:</para>
|
||
|
|
||
|
<orderedlist>
|
||
|
<listitem>
|
||
|
<para>Ping requests addressed to the firewall itself; and</para>
|
||
|
</listitem>
|
||
|
|
||
|
<listitem>
|
||
|
<para>Ping requests being forwarded to another system. Included here
|
||
|
are all cases of packet forwarding including NAT, DNAT rule, Proxy ARP
|
||
|
and simple routing.</para>
|
||
|
</listitem>
|
||
|
</orderedlist>
|
||
|
|
||
|
<para>These cases will be covered separately.</para>
|
||
|
|
||
|
<section>
|
||
|
<title>Ping Requests Addressed to the Firewall Itself</title>
|
||
|
|
||
|
<para>For ping requests addressed to the firewall, the sequence is as
|
||
|
follows:</para>
|
||
|
|
||
|
<orderedlist>
|
||
|
<listitem>
|
||
|
<para>If neither <emphasis role="bold">noping</emphasis> nor
|
||
|
<emphasis role="bold">filterping</emphasis> are specified for the
|
||
|
interface that receives the ping request then the request will be
|
||
|
responded to with an ICMP echo-reply.</para>
|
||
|
</listitem>
|
||
|
|
||
|
<listitem>
|
||
|
<para>If <emphasis role="bold">noping</emphasis> is specified for
|
||
|
the interface that receives the ping request then the request is
|
||
|
ignored.</para>
|
||
|
</listitem>
|
||
|
|
||
|
<listitem>
|
||
|
<para>If <emphasis role="bold">filterping</emphasis> is specified
|
||
|
for the interface then the request is passed to the rules/policy
|
||
|
evaluation.</para>
|
||
|
</listitem>
|
||
|
</orderedlist>
|
||
|
</section>
|
||
|
|
||
|
<section>
|
||
|
<title>Ping Requests Forwarded by the Firewall</title>
|
||
|
|
||
|
<para>These requests are always passed to rules/policy evaluation.</para>
|
||
|
|
||
|
<section>
|
||
|
<title>Rules Evaluation</title>
|
||
|
|
||
|
<para>Ping requests are ICMP type 8. So the general rule format is:</para>
|
||
|
|
||
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||
|
<emphasis><action></emphasis> <emphasis><source></emphasis> <emphasis><destination></emphasis> icmp 8</programlisting>
|
||
|
|
||
|
<example>
|
||
|
<title>Allow ping from DMZ to Net</title>
|
||
|
|
||
|
<para>Example 1. Accept pings from the dmz to the net:</para>
|
||
|
|
||
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||
|
ACCEPT dmz net icmp 8</programlisting>
|
||
|
</example>
|
||
|
|
||
|
<example>
|
||
|
<title>Silently drop pings from the Net</title>
|
||
|
|
||
|
<para>Drop pings from the net to the firewall:</para>
|
||
|
|
||
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||
|
DROP net fw icmp 8</programlisting>
|
||
|
</example>
|
||
|
</section>
|
||
|
|
||
|
<section>
|
||
|
<title>Policy Evaluation</title>
|
||
|
|
||
|
<para>If no applicable rule is found, then the policy for the source
|
||
|
to the destination is applied.</para>
|
||
|
|
||
|
<orderedlist>
|
||
|
<listitem>
|
||
|
<para>If the relevant policy is ACCEPT then the request is
|
||
|
responded to with an ICMP echo-reply.</para>
|
||
|
</listitem>
|
||
|
|
||
|
<listitem>
|
||
|
<para>If <emphasis role="bold">FORWARDPING</emphasis> is set to
|
||
|
Yes in /etc/shorewall/shorewall.conf then the request is responded
|
||
|
to with an ICMP echo-reply.</para>
|
||
|
</listitem>
|
||
|
|
||
|
<listitem>
|
||
|
<para>Otherwise, the relevant REJECT or DROP policy is used and
|
||
|
the request is either rejected or simply ignored.</para>
|
||
|
</listitem>
|
||
|
</orderedlist>
|
||
|
</section>
|
||
|
</section>
|
||
|
</section>
|
||
|
|
||
|
<appendix>
|
||
|
<title>Revision History</title>
|
||
|
|
||
|
<para><revhistory><revision><revnumber>1.2</revnumber><date>2004-01-03</date><authorinitials>TE</authorinitials><revremark>Add
|
||
|
traceroute reference</revremark></revision><revision><revnumber>1.1</revnumber><date>2003-08-23</date><authorinitials>TE</authorinitials><revremark>Initial
|
||
|
version converted to Docbook XML</revremark></revision></revhistory></para>
|
||
|
</appendix>
|
||
|
</article>
|