shorewall_code/docs/ping.xml

100 lines
3.4 KiB
XML
Raw Normal View History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<article>
<articleinfo>
<title>ICMP Echo-request (Ping)</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
<copyright>
<year>2001-2005</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<caution>
<para><emphasis role="bold">This article applies to Shorewall 3.0 and
later. If you are running a version of Shorewall earlier than Shorewall
3.0.0 then please see the documentation for that
release.</emphasis></para>
</caution>
<note>
<para>Enabling <quote>ping</quote> will also enable ICMP-based
<emphasis>traceroute</emphasis>. For UDP-based traceroute, see the <ulink
url="ports.htm">port information page</ulink>.</para>
</note>
<section id="Ping">
<title>'Ping' Management</title>
<para>In Shorewall , ICMP echo-requests are treated just like any other
connection request.</para>
<para>In order to accept ping requests from zone z1 to zone z2 where the
policy for z1 to z2 is not ACCEPT, you need a rule in
<filename>/etc/shorewall/rules</filename> of the form:</para>
<programlisting>#ACTION SOURCE DEST PROTO DPORT
Ping(ACCEPT) z1 z2</programlisting>
<example id="Example1">
<title>Ping from local zone to firewall</title>
<para>To permit ping from the local zone to the firewall:</para>
<programlisting>#ACTION SOURCE DEST PROTO DPORT
Ping(ACCEPT) loc $FW</programlisting>
</example>
<para>If you would like to accept <quote>ping</quote> by default even when
the relevant policy is DROP or REJECT, copy
<filename>/usr/share/shorewall/action.Drop</filename> or
<filename>/usr/share shorewall/action.Reject</filename> respectively to
<filename class="directory">/etc/shorewall</filename> and simply add this
line to the copy:</para>
<programlisting>Ping(ACCEPT)</programlisting>
<para>With that rule in place, if you want to ignore <quote>ping</quote>
from z1 to z2 then you need a rule of the form:</para>
<programlisting>#ACTION SOURCE DEST PROTO DPORT
Ping(DROP) z1 z2</programlisting>
<example id="Example2">
<title>Silently drop pings from the Internet</title>
<para>To drop ping from the Internet, you would need this rule in
<filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DPORT
Ping(DROP) net $FW</programlisting>
</example>
<para>Note that the above rule may be used without changing the action
files to prevent your log from being flooded by messages generated from
remote pinging.</para>
</section>
</article>