ICMP Echo-request (Ping) Tom Eastep 2003-08-23 2001-2003 Thomas M. Eastep Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled GNU Free Documentation License. Shorewall 'Ping' management has evolved over time with the latest change coming in Shorewall version 1.4.0. To find out which version of Shorewall you are running, at a shell prompt type "/sbin/shorewall version". If that command gives you an error, it's time to upgrade since you have a very old version of Shorewall installed (1.2.4 or earlier).
Shorewall Versions >= 1.4.0 In Shoreall 1.4.0 and later version, ICMP echo-request's are treated just like any other connection request. In order to accept ping requests from zone z1 to zone z2 where the policy for z1 to z2 is not ACCEPT, you need a rule in /etc/shoreall/rules of the form: ACTION SOURCE DESTINATION PROTOCOL PORT(S) SOURCE PORT(S) ORIGINAL DEST ACCEPT z1 z2 icmp 8 Ping from local zone to firewall To permit ping from the local zone to the firewall: ACTION SOURCE DESTINATION PROTOCOL PORT(S) SOURCE PORT(S) ORIGINAL DEST ACCEPT loc fw icmp 8 If you would like to accept 'ping' by default even when the relevant policy is DROP or REJECT, create /etc/shorewall/icmpdef if it doesn't already exist and in that file place the following command: run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT With that rule in place, if you want to ignore 'ping' from z1 to z2 then you need a rule of the form: ACTION SOURCE DESTINATION PROTOCOL PORT(S) SOURCE PORT(S) ORIGINAL DEST DROP z1 z2 icmp 8 Silently drop pings from the Internet To drop ping from the internet, you would need this rule in /etc/shorewall/rules: ACTION SOURCE DESTINATION PROTOCOL PORT(S) SOURCE PORT(S) ORIGINAL DEST DROP net fw icmp 8 Note that the above rule may be used without any additions to /etc/shorewall/icmpdef to prevent your log from being flooded by messages generated from remote pinging.
Shorewall Versions >= 1.3.14 and < 1.4.0 with OLD_PING_HANDLING=No in /etc/shorewall/shorewall.conf In 1.3.14, Ping handling was put under control of the rules and policies just like any other connection request. In order to accept ping requests from zone z1 to zone z2 where the policy for z1 to z2 is not ACCEPT, you need a rule in /etc/shoreall/rules of the form: ACTION SOURCE DESTINATION PROTOCOL PORT(S) SOURCE PORT(S) ORIGINAL DEST ACCEPT z1 z2 icmp 8 Ping from local zone to firewall To permit ping from the local zone to the firewall: ACTION SOURCE DESTINATION PROTOCOL PORT(S) SOURCE PORT(S) ORIGINAL DEST ACCEPT loc fw icmp 8 If you would like to accept 'ping' by default even when the relevant policy is DROP or REJECT, create /etc/shorewall/icmpdef if it doesn't already exist and in that file place the following command: run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT With that rule in place, if you want to ignore 'ping' from z1 to z2 then you need a rule of the form: ACTION SOURCE DESTINATION PROTOCOL PORT(S) SOURCE PORT(S) ORIGINAL DEST DROP z1 z2 icmp 8 Silently drop pings from the Internet To drop ping from the internet, you would need this rule in /etc/shorewall/rules: ACTION SOURCE DESTINATION PROTOCOL PORT(S) SOURCE PORT(S) ORIGINAL DEST DROP net fw icmp 8 The above rule may be used without any additions to /etc/shorewall/icmpdef to prevent your log from being flooded by messages generated from remote pinging. There is one exception to the above description. In 1.3.14 and 1.3.14a, ping from the firewall itself is enabled unconditionally. This suprising "feature" was removed in version 1.4.0.
Shorewall Versions < 1.3.14 or with OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf There are several aspects to the old Shorewall Ping management: The noping and filterping interface options in /etc/shorewall/interfaces. The FORWARDPING option in /etc/shorewall/shorewall.conf. Explicit rules in /etc/shorewall/rules. There are two cases to consider: Ping requests addressed to the firewall itself; and Ping requests being forwarded to another system. Included here are all cases of packet forwarding including NAT, DNAT rule, Proxy ARP and simple routing. These cases will be covered separately.
Ping Requests Addressed to the Firewall Itself For ping requests addressed to the firewall, the sequence is as follows: If neither noping nor filterping are specified for the interface that receives the ping request then the request will be responded to with an ICMP echo-reply. If noping is specified for the interface that receives the ping request then the request is ignored. If filterping is specified for the interface then the request is passed to the rules/policy evaluation.
Ping Requests Forwarded by the Firewall These requests are always passed to rules/policy evaluation.
Rules Evaluation Ping requests are ICMP type 8. So the general rule format is: ACTION SOURCE DESTINATION PROTOCOL PORT(S) SOURCE PORT(S) ORIGINAL DEST <action> <source> <destination> icmp 8 Allow ping from DMZ to Net Example 1. Accept pings from the net to the dmz (pings are responded to with an ICMP echo-reply): ACTION SOURCE DESTINATION PROTOCOL PORT(S) SOURCE PORT(S) ORIGINAL DEST ACCEPT dmz net icmp 8 Silently drop pings from the Net Drop pings from the net to the firewall: ACTION SOURCE DESTINATION PROTOCOL PORT(S) SOURCE PORT(S) ORIGINAL DEST DROP net fw icmp 8
Policy Evaluation If no applicable rule is found, then the policy for the source to the destination is applied. If the relevant policy is ACCEPT then the request is responded to with an ICMP echo-reply. If FORWARDPING is set to Yes in /etc/shorewall/shorewall.conf then the request is responded to with an ICMP echo-reply. Otherwise, the relevant REJECT or DROP policy is used and the request is either rejected or simply ignored.