shorewall_code/Shorewall-docs2/ping.xml

128 lines
3.9 KiB
XML
Raw Normal View History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article>
<articleinfo>
<title>ICMP Echo-request (Ping)</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate>2005-08-31</pubdate>
<copyright>
<year>2001-2005</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<note>
<para>Enabling <quote>ping</quote> will also enable ICMP-based
<emphasis>traceroute</emphasis>. For UDP-based traceroute, see the <ulink
url="ports.htm">port information page</ulink>.</para>
</note>
<section>
<title>'Ping' Management</title>
<para>In Shorewall , ICMP echo-request's are treated just like any other
connection request.</para>
<para>In order to accept ping requests from zone z1 to zone z2 where the
policy for z1 to z2 is not ACCEPT, you need a rule in
<filename>/etc/shorewall/rules</filename> of the form:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
Ping/ACCEPT z1 z2</programlisting>
<example>
<title>Ping from local zone to firewall</title>
<para>To permit ping from the local zone to the firewall:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
Ping/ACCEPT loc fw</programlisting>
</example>
<para>If you would like to accept <quote>ping</quote> by default even when
the relevant policy is DROP or REJECT, copy
<filename>/usr/share/shorewall/action.Drop</filename> or
<filename>/usr/share shorewall/action.Reject</filename> respectively to
<filename class="directory">/etc/shorewall</filename> and simply add this
line to the copy:</para>
<programlisting>Ping/ACCEPT</programlisting>
<para>With that rule in place, if you want to ignore <quote>ping</quote>
from z1 to z2 then you need a rule of the form:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
Ping/DROP z1 z2</programlisting>
<example>
<title>Silently drop pings from the Internet</title>
<para>To drop ping from the internet, you would need this rule in
<filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
Ping/DROP:none! net fw</programlisting>
</example>
<para>Note that the above rule may be used without changing the action
files to prevent your log from being flooded by messages generated from
remote pinging.</para>
</section>
<appendix>
<title>Revision History</title>
<para><revhistory>
<revision>
<revnumber>1.3</revnumber>
<date>2005-08-31</date>
<authorinitials>CR</authorinitials>
<revremark>Updated for Shorewall 3</revremark>
</revision>
<revision>
<revnumber>1.2</revnumber>
<date>2004-01-03</date>
<authorinitials>TE</authorinitials>
<revremark>Add traceroute reference</revremark>
</revision>
<revision>
<revnumber>1.1</revnumber>
<date>2003-08-23</date>
<authorinitials>TE</authorinitials>
<revremark>Initial version converted to Docbook XML</revremark>
</revision>
</revhistory></para>
</appendix>
</article>