Shorewall 'Ping' management has evolved over time with the latest change
coming in Shorewall version 1.4.0. To find out which version of Shorewall
you are running, at a shell prompt type "/sbin/shorewall
version". If that command gives you an error, it's time to upgrade
since you have a very old version of Shorewall installed (1.2.4 or earlier).
Shorewall Versions >= 1.4.0
In Shoreall 1.4.0 and later version, ICMP echo-request's are treated just
like any other connection request.
In order to accept ping requests from zone z1 to zone z2 where the policy
for z1 to z2 is not ACCEPT, you need a rule in /etc/shoreall/rules of the
form:
ACCEPT z1 z2
icmp 8
Example:
To permit ping from the local zone to the firewall:
ACCEPT loc fw
icmp 8
If you would like to accept 'ping' by default even when the relevant
policy is DROP or REJECT, create /etc/shorewall/icmpdef if it doesn't
already exist and in that file place the following command:
run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT
With that rule in place, if you want to ignore 'ping' from z1 to z2
then you need a rule of the form:
DROP z1 z2
icmp 8
Example:
To drop ping from the internet, you would need this rule in /etc/shorewall/rules:
DROP net fw
icmp 8
Shorewall Versions >= 1.3.14 and < 1.4.0 with OLD_PING_HANDLING=No
in /etc/shorewall/shorewall.conf
In 1.3.14, Ping handling was put under control of the rules and policies
just like any other connection request. In order to accept ping requests
from zone z1 to zone z2 where the policy for z1 to z2 is not ACCEPT, you
need a rule in /etc/shoreall/rules of the form:
ACCEPT z1 z2
icmp 8
Example:
To permit ping from the local zone to the firewall:
ACCEPT loc fw
icmp 8
If you would like to accept 'ping' by default even when the relevant
policy is DROP or REJECT, create /etc/shorewall/icmpdef if it doesn't
already exist and in that file place the following command:
run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT
With that rule in place, if you want to ignore 'ping' from z1 to z2
then you need a rule of the form:
DROP z1 z2
icmp 8
Example:
To drop ping from the internet, you would need this rule in /etc/shorewall/rules:
DROP net fw
icmp 8
Shorewall Versions < 1.3.14 or with OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf
There are several aspects to the old Shorewall Ping management:
- The noping and filterping interface options in
/etc/shorewall/interfaces.
- The FORWARDPING option in /etc/shorewall/shorewall.conf.
- Explicit rules in /etc/shorewall/rules.
There are two cases to consider:
- Ping requests addressed to the firewall itself; and
- Ping requests being forwarded to another system. Included here
are all cases of packet forwarding including NAT, DNAT rule, Proxy ARP
and simple routing.
These cases will be covered separately.
Ping Requests Addressed to the Firewall Itself
For ping requests addressed to the firewall, the sequence is as follows:
- If neither noping nor filterping are specified
for the interface that receives the ping request then the request will
be responded to with an ICMP echo-reply.
- If noping is specified for the interface that receives
the ping request then the request is ignored.
- If filterping is specified for the interface then the
request is passed to the rules/policy evaluation.
Ping Requests Forwarded by the Firewall
These requests are always passed to rules/policy evaluation.
Rules Evaluation
Ping requests are ICMP type 8. So the general rule format is:
Target Source
Destination icmp 8
Example 1. Accept pings from the net to the dmz (pings are responded
to with an ICMP echo-reply):
ACCEPT net dmz
icmp 8
Example 2. Drop pings from the net to the firewall
DROP net fw
icmp 8
Policy Evaluation
If no applicable rule is found, then the policy for the source to the
destination is applied.
- If the relevant policy is ACCEPT then the request is responded
to with an ICMP echo-reply.
- If FORWARDPING is set to Yes in /etc/shorewall/shorewall.conf
then the request is responded to with an ICMP echo-reply.
- Otherwise, the relevant REJECT or DROP policy is used and the
request is either rejected or simply ignored.
Updated 7/7/2003 - Tom Eastep
Copyright © 2001, 2002, 2003 Thomas M. Eastep.