<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<article>
  <articleinfo>
    <title>ICMP Echo-request (Ping)</title>

    <authorgroup>
      <author>
        <firstname>Tom</firstname>

        <surname>Eastep</surname>
      </author>
    </authorgroup>

    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>

    <copyright>
      <year>2001-2005</year>

      <holder>Thomas M. Eastep</holder>
    </copyright>

    <legalnotice>
      <para>Permission is granted to copy, distribute and/or modify this
      document under the terms of the GNU Free Documentation License, Version
      1.2 or any later version published by the Free Software Foundation; with
      no Invariant Sections, with no Front-Cover, and with no Back-Cover
      Texts. A copy of the license is included in the section entitled
      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
      License</ulink></quote>.</para>
    </legalnotice>
  </articleinfo>

  <caution>
    <para><emphasis role="bold">This article applies to Shorewall 3.0 and
    later. If you are running a version of Shorewall earlier than Shorewall
    3.0.0 then please see the documentation for that
    release.</emphasis></para>
  </caution>

  <note>
    <para>Enabling <quote>ping</quote> will also enable ICMP-based
    <emphasis>traceroute</emphasis>. For UDP-based traceroute, see the <ulink
    url="ports.htm">port information page</ulink>.</para>
  </note>

  <section id="Ping">
    <title>'Ping' Management</title>

    <para>In Shorewall , ICMP echo-requests are treated just like any other
    connection request.</para>

    <para>In order to accept ping requests from zone z1 to zone z2 where the
    policy for z1 to z2 is not ACCEPT, you need a rule in
    <filename>/etc/shorewall/rules</filename> of the form:</para>

    <programlisting>#ACTION      SOURCE    DEST     PROTO    DEST PORT(S)
Ping(ACCEPT) z1        z2</programlisting>

    <example id="Example1">
      <title>Ping from local zone to firewall</title>

      <para>To permit ping from the local zone to the firewall:</para>

      <programlisting>#ACTION      SOURCE    DEST     PROTO    DEST PORT(S)
Ping(ACCEPT) loc       $FW</programlisting>
    </example>

    <para>If you would like to accept <quote>ping</quote> by default even when
    the relevant policy is DROP or REJECT, copy
    <filename>/usr/share/shorewall/action.Drop</filename> or
    <filename>/usr/share shorewall/action.Reject</filename> respectively to
    <filename class="directory">/etc/shorewall</filename> and simply add this
    line to the copy:</para>

    <programlisting>Ping(ACCEPT)</programlisting>

    <para>With that rule in place, if you want to ignore <quote>ping</quote>
    from z1 to z2 then you need a rule of the form:</para>

    <programlisting>#ACTION      SOURCE    DEST     PROTO    DEST PORT(S)
Ping(DROP)   z1        z2</programlisting>

    <example id="Example2">
      <title>Silently drop pings from the Internet</title>

      <para>To drop ping from the Internet, you would need this rule in
      <filename>/etc/shorewall/rules</filename>:</para>

      <programlisting>#ACTION    SOURCE    DEST     PROTO    DEST PORT(S)
Ping(DROP) net       $FW</programlisting>
    </example>

    <para>Note that the above rule may be used without changing the action
    files to prevent your log from being flooded by messages generated from
    remote pinging.</para>
  </section>
</article>