2004-02-14 19:06:39 +01:00
|
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
|
|
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
|
|
|
<article>
|
|
|
|
<articleinfo>
|
|
|
|
<title>ICMP Echo-request (Ping)</title>
|
|
|
|
|
|
|
|
<authorgroup>
|
|
|
|
<author>
|
|
|
|
<firstname>Tom</firstname>
|
|
|
|
|
|
|
|
<surname>Eastep</surname>
|
|
|
|
</author>
|
|
|
|
</authorgroup>
|
|
|
|
|
2005-08-31 08:42:41 +02:00
|
|
|
<pubdate>2005-08-31</pubdate>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
<copyright>
|
2005-03-05 17:53:54 +01:00
|
|
|
<year>2001-2005</year>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
|
|
</copyright>
|
|
|
|
|
|
|
|
<legalnotice>
|
|
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
|
|
Texts. A copy of the license is included in the section entitled
|
2005-03-05 17:53:54 +01:00
|
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
|
|
|
License</ulink></quote>.</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
</legalnotice>
|
|
|
|
</articleinfo>
|
|
|
|
|
|
|
|
<note>
|
|
|
|
<para>Enabling <quote>ping</quote> will also enable ICMP-based
|
|
|
|
<emphasis>traceroute</emphasis>. For UDP-based traceroute, see the <ulink
|
|
|
|
url="ports.htm">port information page</ulink>.</para>
|
|
|
|
</note>
|
|
|
|
|
|
|
|
<section>
|
2005-08-31 08:42:41 +02:00
|
|
|
<title>'Ping' Management</title>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2005-08-31 08:42:41 +02:00
|
|
|
<para>In Shorewall , ICMP echo-request's are treated just like any other
|
|
|
|
connection request.</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
<para>In order to accept ping requests from zone z1 to zone z2 where the
|
|
|
|
policy for z1 to z2 is not ACCEPT, you need a rule in
|
2005-03-05 17:53:54 +01:00
|
|
|
<filename>/etc/shorewall/rules</filename> of the form:</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
2005-08-31 08:42:41 +02:00
|
|
|
Ping/ACCEPT z1 z2</programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
<example>
|
|
|
|
<title>Ping from local zone to firewall</title>
|
|
|
|
|
|
|
|
<para>To permit ping from the local zone to the firewall:</para>
|
|
|
|
|
|
|
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
2005-08-31 08:42:41 +02:00
|
|
|
Ping/ACCEPT loc fw</programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
</example>
|
|
|
|
|
|
|
|
<para>If you would like to accept <quote>ping</quote> by default even when
|
2005-03-05 17:53:54 +01:00
|
|
|
the relevant policy is DROP or REJECT, copy
|
|
|
|
<filename>/usr/share/shorewall/action.Drop</filename> or
|
|
|
|
<filename>/usr/share shorewall/action.Reject</filename> respectively to
|
|
|
|
<filename class="directory">/etc/shorewall</filename> and simply add this
|
|
|
|
line to the copy:</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2005-08-31 08:42:41 +02:00
|
|
|
<programlisting>Ping/ACCEPT</programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
<para>With that rule in place, if you want to ignore <quote>ping</quote>
|
|
|
|
from z1 to z2 then you need a rule of the form:</para>
|
|
|
|
|
|
|
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
2005-08-31 08:42:41 +02:00
|
|
|
Ping/DROP z1 z2</programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
<example>
|
|
|
|
<title>Silently drop pings from the Internet</title>
|
|
|
|
|
|
|
|
<para>To drop ping from the internet, you would need this rule in
|
2005-03-05 17:53:54 +01:00
|
|
|
<filename>/etc/shorewall/rules</filename>:</para>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
|
|
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
2005-08-31 08:42:41 +02:00
|
|
|
Ping/DROP:none! net fw</programlisting>
|
2004-02-14 19:06:39 +01:00
|
|
|
</example>
|
|
|
|
|
|
|
|
<para>Note that the above rule may be used without changing the action
|
|
|
|
files to prevent your log from being flooded by messages generated from
|
|
|
|
remote pinging.</para>
|
|
|
|
</section>
|
|
|
|
|
2005-08-31 08:42:41 +02:00
|
|
|
<appendix>
|
|
|
|
<title>Revision History</title>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2005-08-31 08:42:41 +02:00
|
|
|
<para><revhistory>
|
|
|
|
<revision>
|
|
|
|
<revnumber>1.3</revnumber>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2005-08-31 08:42:41 +02:00
|
|
|
<date>2005-08-31</date>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2005-08-31 08:42:41 +02:00
|
|
|
<authorinitials>CR</authorinitials>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2005-08-31 08:42:41 +02:00
|
|
|
<revremark>Updated for Shorewall 3</revremark>
|
|
|
|
</revision>
|
2004-02-14 19:06:39 +01:00
|
|
|
|
2005-03-05 17:53:54 +01:00
|
|
|
<revision>
|
|
|
|
<revnumber>1.2</revnumber>
|
|
|
|
|
|
|
|
<date>2004-01-03</date>
|
|
|
|
|
|
|
|
<authorinitials>TE</authorinitials>
|
|
|
|
|
|
|
|
<revremark>Add traceroute reference</revremark>
|
|
|
|
</revision>
|
|
|
|
|
|
|
|
<revision>
|
|
|
|
<revnumber>1.1</revnumber>
|
|
|
|
|
|
|
|
<date>2003-08-23</date>
|
|
|
|
|
|
|
|
<authorinitials>TE</authorinitials>
|
|
|
|
|
|
|
|
<revremark>Initial version converted to Docbook XML</revremark>
|
|
|
|
</revision>
|
|
|
|
</revhistory></para>
|
2004-02-14 19:06:39 +01:00
|
|
|
</appendix>
|
|
|
|
</article>
|