<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> <article> <articleinfo> <title>ICMP Echo-request (Ping)</title> <authorgroup> <author> <firstname>Tom</firstname> <surname>Eastep</surname> </author> </authorgroup> <pubdate>2005-09-12</pubdate> <copyright> <year>2001-2005</year> <holder>Thomas M. Eastep</holder> </copyright> <legalnotice> <para>Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para> </legalnotice> </articleinfo> <caution> <para><emphasis role="bold">This article applies to Shorewall 3.0 and later. If you are running a version of Shorewall earlier than Shorewall 3.0.0 then please see the documentation for that release.</emphasis></para> </caution> <note> <para>Enabling <quote>ping</quote> will also enable ICMP-based <emphasis>traceroute</emphasis>. For UDP-based traceroute, see the <ulink url="ports.htm">port information page</ulink>.</para> </note> <section> <title>'Ping' Management</title> <para>In Shorewall , ICMP echo-request's are treated just like any other connection request.</para> <para>In order to accept ping requests from zone z1 to zone z2 where the policy for z1 to z2 is not ACCEPT, you need a rule in <filename>/etc/shorewall/rules</filename> of the form:</para> <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) Ping/ACCEPT z1 z2</programlisting> <example> <title>Ping from local zone to firewall</title> <para>To permit ping from the local zone to the firewall:</para> <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) Ping/ACCEPT loc $FW</programlisting> </example> <para>If you would like to accept <quote>ping</quote> by default even when the relevant policy is DROP or REJECT, copy <filename>/usr/share/shorewall/action.Drop</filename> or <filename>/usr/share shorewall/action.Reject</filename> respectively to <filename class="directory">/etc/shorewall</filename> and simply add this line to the copy:</para> <programlisting>Ping/ACCEPT</programlisting> <para>With that rule in place, if you want to ignore <quote>ping</quote> from z1 to z2 then you need a rule of the form:</para> <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) Ping/DROP z1 z2</programlisting> <example> <title>Silently drop pings from the Internet</title> <para>To drop ping from the internet, you would need this rule in <filename>/etc/shorewall/rules</filename>:</para> <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) Ping/DROP net $FW</programlisting> </example> <para>Note that the above rule may be used without changing the action files to prevent your log from being flooded by messages generated from remote pinging.</para> </section> <appendix> <title>Revision History</title> <para><revhistory> <revision> <revnumber>1.3</revnumber> <date>2005-08-31</date> <authorinitials>CR</authorinitials> <revremark>Updated for Shorewall 3</revremark> </revision> <revision> <revnumber>1.2</revnumber> <date>2004-01-03</date> <authorinitials>TE</authorinitials> <revremark>Add traceroute reference</revremark> </revision> <revision> <revnumber>1.1</revnumber> <date>2003-08-23</date> <authorinitials>TE</authorinitials> <revremark>Initial version converted to Docbook XML</revremark> </revision> </revhistory></para> </appendix> </article>