<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> <article> <articleinfo> <title>ICMP Echo-request (Ping)</title> <authorgroup> <author> <firstname>Tom</firstname> <surname>Eastep</surname> </author> </authorgroup> <pubdate><?dbtimestamp format="Y/m/d"?></pubdate> <copyright> <year>2001-2005</year> <holder>Thomas M. Eastep</holder> </copyright> <legalnotice> <para>Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para> </legalnotice> </articleinfo> <caution> <para><emphasis role="bold">This article applies to Shorewall 3.0 and later. If you are running a version of Shorewall earlier than Shorewall 3.0.0 then please see the documentation for that release.</emphasis></para> </caution> <note> <para>Enabling <quote>ping</quote> will also enable ICMP-based <emphasis>traceroute</emphasis>. For UDP-based traceroute, see the <ulink url="ports.htm">port information page</ulink>.</para> </note> <section id="Ping"> <title>'Ping' Management</title> <para>In Shorewall , ICMP echo-requests are treated just like any other connection request.</para> <para>In order to accept ping requests from zone z1 to zone z2 where the policy for z1 to z2 is not ACCEPT, you need a rule in <filename>/etc/shorewall/rules</filename> of the form:</para> <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) Ping(ACCEPT) z1 z2</programlisting> <example id="Example1"> <title>Ping from local zone to firewall</title> <para>To permit ping from the local zone to the firewall:</para> <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) Ping(ACCEPT) loc $FW</programlisting> </example> <para>If you would like to accept <quote>ping</quote> by default even when the relevant policy is DROP or REJECT, copy <filename>/usr/share/shorewall/action.Drop</filename> or <filename>/usr/share shorewall/action.Reject</filename> respectively to <filename class="directory">/etc/shorewall</filename> and simply add this line to the copy:</para> <programlisting>Ping(ACCEPT)</programlisting> <para>With that rule in place, if you want to ignore <quote>ping</quote> from z1 to z2 then you need a rule of the form:</para> <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) Ping(DROP) z1 z2</programlisting> <example id="Example2"> <title>Silently drop pings from the Internet</title> <para>To drop ping from the Internet, you would need this rule in <filename>/etc/shorewall/rules</filename>:</para> <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) Ping(DROP) net $FW</programlisting> </example> <para>Note that the above rule may be used without changing the action files to prevent your log from being flooded by messages generated from remote pinging.</para> </section> </article>