Outbound ICMP no longer unconditionally accepted

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@444 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2003-02-11 01:34:52 +00:00 · 2003-02-11 01:34:52 +00:00 · 92fc84ac14
commit 92fc84ac14
parent ef51c04d1d
3 changed files with 9 additions and 5 deletions
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@ -3684,10 +3684,6 @@ add_common_rules() {
    run_iptables -A INPUT   -i lo -j ACCEPT
    run_iptables -A OUTPUT  -o lo -j ACCEPT
    
-    #
-    # Enable icmp output
-    #
-    run_iptables -A OUTPUT -p icmp -j ACCEPT
    #
    # Route Filtering
    #
--- a/Shorewall/hosts
+++ b/Shorewall/hosts
@ -8,7 +8,10 @@
 #
 #	This file is used to define zones in terms of subnets and/or
 #	individual IP addresses. Most simple setups don't need to
-#	(should not) place anything in this file.
+#	(should not) place anything in this file. Note that if you 
+#	assign one or more interfaces to a zone in /etc/shorewall/interfaces,
+#	the hosts/networks that you define for the zone in the file will be
+#	IN ADDITION to those interfaces.
 #
 #	ZONE	- The name of a zone defined in /etc/shorewall/zones
 #
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -38,4 +38,9 @@ Changes for 2.0 include:
 4. Late arriving DNS replies are now silently dropped in the common
   chain by default.

+5. In addition to behaving like OLD_PING_HANDLING=No, Shorewall 2.0 no
+   longer unconditionally accepts outbound ICMP packets. So if you want
+   to 'ping' from the firewall, you will need the appropriate rule or
+   policy. 
+