Outbound ICMP no longer unconditionally accepted

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@444 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/firewall

@@ -3684,10 +3684,6 @@ add_common_rules() {
     run_iptables -A INPUT   -i lo -j ACCEPT
     run_iptables -A OUTPUT  -o lo -j ACCEPT
     
-    #
-    # Enable icmp output
-    #
-    run_iptables -A OUTPUT -p icmp -j ACCEPT
     #
     # Route Filtering
     #

Shorewall/hosts

@@ -8,7 +8,10 @@
 #
 #	This file is used to define zones in terms of subnets and/or
 #	individual IP addresses. Most simple setups don't need to
-#	(should not) place anything in this file.
+#	(should not) place anything in this file. Note that if you 
+#	assign one or more interfaces to a zone in /etc/shorewall/interfaces,
+#	the hosts/networks that you define for the zone in the file will be
+#	IN ADDITION to those interfaces.
 #
 #	ZONE	- The name of a zone defined in /etc/shorewall/zones
 #

Shorewall/releasenotes.txt

@@ -38,4 +38,9 @@ Changes for 2.0 include:
 4. Late arriving DNS replies are now silently dropped in the common
    chain by default.
 
+5. In addition to behaving like OLD_PING_HANDLING=No, Shorewall 2.0 no
+   longer unconditionally accepts outbound ICMP packets. So if you want
+   to 'ping' from the firewall, you will need the appropriate rule or
+   policy. 
+