From caa793d2b4c1ad165e18066fba649c7bd695c680 Mon Sep 17 00:00:00 2001 From: teastep Date: Fri, 26 Dec 2003 15:31:08 +0000 Subject: [PATCH] Convert ping.html to Docbook XML git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@966 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-docs/ping.html | 162 ---------- Shorewall-docs/ping.xml | 681 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 681 insertions(+), 162 deletions(-) delete mode 100644 Shorewall-docs/ping.html create mode 100644 Shorewall-docs/ping.xml diff --git a/Shorewall-docs/ping.html b/Shorewall-docs/ping.html deleted file mode 100644 index c08c02b7b..000000000 --- a/Shorewall-docs/ping.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - ICMP Echo-request (Ping) - - - - -
-

ICMP Echo-request (Ping)
-

-Shorewall 'Ping' management has evolved over time with the latest -change coming in Shorewall version 1.4.0. To find out which version of -Shorewall you are running, at a shell prompt type "/sbin/shorewall -version". If that command gives you an error, it's time to -upgrade since you have a very old version of Shorewall installed (1.2.4 -or earlier).
-

Shorewall Versions >= 1.4.0

-In Shoreall 1.4.0 and later version, ICMP echo-request's are treated -just like any other connection request.
-
-In order to accept ping requests from zone z1 to zone z2 where the -policy for z1 to z2 is not ACCEPT, you need a rule in -/etc/shoreall/rules of the form:
-
ACCEPT    z1    -z2    icmp    8
-
-Example:
-
-To permit ping from the local zone to the firewall:
-
ACCEPT    loc    -fw    icmp    8
-
-If you would like to accept 'ping' by default even when the relevant -policy is DROP or REJECT, create /etc/shorewall/icmpdef if it -doesn't already exist and in that file place the following command:
-
- 
run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT
-
-With that rule in place, if you want to ignore 'ping' from z1 to z2 -then you need a rule of the form:
-
DROP    z1    -z2    icmp    8
-
-Example:
-
-To drop ping from the internet, you would need this rule in -/etc/shorewall/rules:
-
-
DROP    net    -fw    icmp    8
-
-

Shorewall Versions >= 1.3.14  and < 1.4.0 with -OLD_PING_HANDLING=No in /etc/shorewall/shorewall.conf

-In 1.3.14, Ping handling was put under control of the rules and -policies just like any other connection request. In order to accept -ping requests from zone z1 to zone z2 where the policy for z1 to z2 is -not ACCEPT, you need a rule in /etc/shoreall/rules of the form:
-
ACCEPT    z1    -z2    icmp    8
-
-Example:
-
-To permit ping from the local zone to the firewall:
-
ACCEPT    loc    -fw    icmp    8
-
-If you would like to accept 'ping' by default even when the relevant -policy is DROP or REJECT, create /etc/shorewall/icmpdef if it -doesn't already exist and in that file place the following command:
-
- 
run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT
-
-With that rule in place, if you want to ignore 'ping' from z1 to z2 -then you need a rule of the form:
-
DROP    z1    -z2    icmp    8
-
-Example:
-
-To drop ping from the internet, you would need this rule in -/etc/shorewall/rules:
-
DROP    net    -fw    icmp    8
-
-NOTE:  There is one -exception to the above description. In 1.3.14 and 1.3.14a, ping from -the firewall itself is enabled unconditionally. This suprising -"feature" was removed in version 1.4.0.
-
-
-

Shorewall Versions < 1.3.14 or with OLD_PING_HANDLING=Yes in -/etc/shorewall/shorewall.conf
-

-There are several aspects to the old Shorewall Ping management:
-
    -
  1. The noping and filterping interface options in /etc/shorewall/interfaces.
    2. -
  2. The FORWARDPING option in -/etc/shorewall/shorewall.conf.
    3. -
  3. Explicit rules in /etc/shorewall/rules.
    4. -
-There are two cases to consider:
-
    -
  1. Ping requests addressed to the firewall itself; and
    2. -
  2. Ping requests being forwarded to another system. Included here -are all cases of packet forwarding including NAT, DNAT rule, Proxy ARP -and simple routing.
    3. -
-These cases will be covered separately.
-

Ping Requests Addressed to the Firewall Itself

-For ping requests addressed to the firewall, the sequence is as follows:
-
    -
  1. If neither noping nor filterping are specified -for the interface that receives the ping request then the request will -be responded to with an ICMP echo-reply.
    2. -
  2. If noping is specified for the interface that receives -the ping request then the request is ignored.
    3. -
  3. If filterping is specified for the interface then the -request is passed to the rules/policy evaluation.
    4. -
-

Ping Requests Forwarded by the Firewall

-These requests are always passed to rules/policy evaluation.
-

Rules Evaluation

-Ping requests are ICMP type 8. So the general rule format is:
-
-    Target    -Source    Destination    icmp    -8
-
-Example 1. Accept pings from the net to the dmz (pings are responded to -with an ICMP echo-reply):
-
-    ACCEPT    net    -dmz    icmp    8
-
-Example 2. Drop pings from the net to the firewall
-
-    DROP    net    -fw    icmp    8
-

Policy Evaluation

-If no applicable rule is found, then the policy for the source to -the destination is applied.
-
    -
  1. If the relevant policy is ACCEPT then the request is responded to -with an ICMP echo-reply.
    2. -
  2. If FORWARDPING is set to Yes in -/etc/shorewall/shorewall.conf then the request is responded to with an -ICMP echo-reply.
    3. -
  3. Otherwise, the relevant REJECT or DROP policy is used and the -request is either rejected or simply ignored.
    4. -
-
Updated 8/23/2003 - Tom Eastep
-

-

Copyright © 2001, 2002, 2003 Thomas M. Eastep.
-

-
- - diff --git a/Shorewall-docs/ping.xml b/Shorewall-docs/ping.xml new file mode 100644 index 000000000..7bbde29e5 --- /dev/null +++ b/Shorewall-docs/ping.xml @@ -0,0 +1,681 @@ + + +
+ + + + ICMP Echo-request (Ping) + + + + Tom + + Eastep + + + + 2003-08-23 + + + 2001-2003 + + Thomas M. Eastep + + + + Permission is granted to copy, distribute and/or modify this + document under the terms of the GNU Free Documentation License, Version + 1.2 or any later version published by the Free Software Foundation; with + no Invariant Sections, with no Front-Cover, and with no Back-Cover + Texts. A copy of the license is included in the section entitled + GNU Free Documentation License. + + + + + Shorewall 'Ping' management has evolved over time with the + latest change coming in Shorewall version 1.4.0. To find out which version + of Shorewall you are running, at a shell prompt type "/sbin/shorewall + version". If that command gives you an error, it's time to upgrade + since you have a very old version of Shorewall installed (1.2.4 or + earlier). + + +
+ Shorewall Versions >= 1.4.0 + + In Shoreall 1.4.0 and later version, ICMP echo-request's are + treated just like any other connection request. + + In order to accept ping requests from zone z1 to zone z2 where the + policy for z1 to z2 is not ACCEPT, you need a rule in /etc/shoreall/rules + of the form: + + + + + + ACTION + + SOURCE + + DESTINATION + + PROTOCOL + + PORT(S) + + SOURCE PORT(S) + + ORIGINAL DEST + + + + + + ACCEPT + + z1 + + z2 + + icmp + + 8 + + + + + + + + + + + Ping from local zone to firewall + + To permit ping from the local zone to the firewall: + + + + + + ACTION + + SOURCE + + DESTINATION + + PROTOCOL + + PORT(S) + + SOURCE PORT(S) + + ORIGINAL DEST + + + + + + ACCEPT + + loc + + fw + + icmp + + 8 + + + + + + + + + + + If you would like to accept 'ping' by default even when the + relevant policy is DROP or REJECT, create /etc/shorewall/icmpdef if it + doesn't already exist and in that file place the following command: + + run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT + + With that rule in place, if you want to ignore 'ping' from + z1 to z2 then you need a rule of the form: + + + + + + ACTION + + SOURCE + + DESTINATION + + PROTOCOL + + PORT(S) + + SOURCE PORT(S) + + ORIGINAL DEST + + + + + + DROP + + z1 + + z2 + + icmp + + 8 + + + + + + + + + + + Silently drop pings from the Internet + + To drop ping from the internet, you would need this rule in + /etc/shorewall/rules: + + + + + + ACTION + + SOURCE + + DESTINATION + + PROTOCOL + + PORT(S) + + SOURCE PORT(S) + + ORIGINAL DEST + + + + + + DROP + + net + + fw + + icmp + + 8 + + + + + + + + + + + Note that the above rule may be used without any additions to + /etc/shorewall/icmpdef to prevent your log from being flooded by messages + generated from remote pinging. +
+ +
+ Shorewall Versions >= 1.3.14 and < 1.4.0 with + OLD_PING_HANDLING=No in /etc/shorewall/shorewall.conf + + In 1.3.14, Ping handling was put under control of the rules and + policies just like any other connection request. In order to accept ping + requests from zone z1 to zone z2 where the policy for z1 to z2 is not + ACCEPT, you need a rule in /etc/shoreall/rules of the form: + + + + + + ACTION + + SOURCE + + DESTINATION + + PROTOCOL + + PORT(S) + + SOURCE PORT(S) + + ORIGINAL DEST + + + + + + ACCEPT + + z1 + + z2 + + icmp + + 8 + + + + + + + + + + + Ping from local zone to firewall + + To permit ping from the local zone to the firewall: + + + + + + ACTION + + SOURCE + + DESTINATION + + PROTOCOL + + PORT(S) + + SOURCE PORT(S) + + ORIGINAL DEST + + + + + + ACCEPT + + loc + + fw + + icmp + + 8 + + + + + + + + + + + If you would like to accept 'ping' by default even when the + relevant policy is DROP or REJECT, create /etc/shorewall/icmpdef if it + doesn't already exist and in that file place the following command: + + run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT + + With that rule in place, if you want to ignore 'ping' from + z1 to z2 then you need a rule of the form: + + + + + + ACTION + + SOURCE + + DESTINATION + + PROTOCOL + + PORT(S) + + SOURCE PORT(S) + + ORIGINAL DEST + + + + + + DROP + + z1 + + z2 + + icmp + + 8 + + + + + + + + + + + Silently drop pings from the Internet + + To drop ping from the internet, you would need this rule in + /etc/shorewall/rules: + + + + + + ACTION + + SOURCE + + DESTINATION + + PROTOCOL + + PORT(S) + + SOURCE PORT(S) + + ORIGINAL DEST + + + + + + DROP + + net + + fw + + icmp + + 8 + + + + + + + + + + + The above rule may be used without any additions to + /etc/shorewall/icmpdef to prevent your log from being flooded by messages + generated from remote pinging. + + + There is one exception to the above description. In 1.3.14 and + 1.3.14a, ping from the firewall itself is enabled unconditionally. This + suprising "feature" was removed in version 1.4.0. + +
+ +
+ Shorewall Versions < 1.3.14 or with OLD_PING_HANDLING=Yes in + /etc/shorewall/shorewall.conf + + There are several aspects to the old Shorewall Ping management: + + + + The noping and filterping interface options in /etc/shorewall/interfaces. + + + + The FORWARDPING option in + /etc/shorewall/shorewall.conf. + + + + Explicit rules in /etc/shorewall/rules. + + + + There are two cases to consider: + + + + Ping requests addressed to the firewall itself; and + + + + Ping requests being forwarded to another system. Included here + are all cases of packet forwarding including NAT, DNAT rule, Proxy ARP + and simple routing. + + + + These cases will be covered separately. + +
+ Ping Requests Addressed to the Firewall Itself + + For ping requests addressed to the firewall, the sequence is as + follows: + + + + If neither noping nor + filterping are specified for the + interface that receives the ping request then the request will be + responded to with an ICMP echo-reply. + + + + If noping is specified for + the interface that receives the ping request then the request is + ignored. + + + + If filterping is specified + for the interface then the request is passed to the rules/policy + evaluation. + + +
+ +
+ Ping Requests Forwarded by the Firewall + + These requests are always passed to rules/policy evaluation. + +
+ Rules Evaluation + + Ping requests are ICMP type 8. So the general rule format is: + + + + + + ACTION + + SOURCE + + DESTINATION + + PROTOCOL + + PORT(S) + + SOURCE PORT(S) + + ORIGINAL DEST + + + + + + <action> + + <source> + + <destination> + + icmp + + 8 + + + + + + + + + + + Allow ping from DMZ to Net + + Example 1. Accept pings from the net to the dmz (pings are + responded to with an ICMP echo-reply): + + + + + + ACTION + + SOURCE + + DESTINATION + + PROTOCOL + + PORT(S) + + SOURCE PORT(S) + + ORIGINAL DEST + + + + + + ACCEPT + + dmz + + net + + icmp + + 8 + + + + + + + + + + + + Silently drop pings from the Net + + Drop pings from the net to the firewall: + + + + + + ACTION + + SOURCE + + DESTINATION + + PROTOCOL + + PORT(S) + + SOURCE PORT(S) + + ORIGINAL DEST + + + + + + DROP + + net + + fw + + icmp + + 8 + + + + + + + + + +
+ +
+ Policy Evaluation + + If no applicable rule is found, then the policy for the source + to the destination is applied. + + + + If the relevant policy is ACCEPT then the request is + responded to with an ICMP echo-reply. + + + + If FORWARDPING is set to + Yes in /etc/shorewall/shorewall.conf then the request is responded + to with an ICMP echo-reply. + + + + Otherwise, the relevant REJECT or DROP policy is used and + the request is either rejected or simply ignored. + + +
+
+
+
\ No newline at end of file