holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Convert ping.html to Docbook XML

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@966 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-12-26 15:31:08 +00:00
parent eea857540b
commit caa793d2b4
2 changed files with 681 additions and 162 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

162
Shorewall-docs/ping.html
View File

@ -1,162 +0,0 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>ICMP Echo-request (Ping)</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<br>
<h1 style="text-align: center;">ICMP Echo-request (Ping)<br>
</h1>
Shorewall 'Ping' management has evolved over time with the latest
change coming in Shorewall version 1.4.0. To find out which version of
Shorewall you are running, at a shell prompt type "<font color="#009900"><b>/sbin/shorewall
version</b></font>". If that command gives you an error, it's time to
upgrade since you have a very old version of Shorewall installed (1.2.4
or earlier).<br>
<h2>Shorewall Versions &gt;= 1.4.0</h2>
In Shoreall 1.4.0 and later version, ICMP echo-request's are treated
just like any other connection request.<br>
<br>
In order to accept ping requests from zone z1 to zone z2 where the
policy for z1 to z2 is not ACCEPT, you need a rule in
/etc/shoreall/rules of the form:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp;
z2&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
Example: <br>
<br>
To permit ping from the local zone to the firewall:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
fw&nbsp;&nbsp;&nbsp; icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
If you would like to accept 'ping' by default even when the relevant
policy is DROP or REJECT, create <b>/etc/shorewall/icmpdef </b>if it
doesn't already exist and in that file place the following command:<br>
<blockquote>
<pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre>
</blockquote>
With that rule in place, if you want to ignore 'ping' from z1 to z2
then you need a rule of the form:<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp;
z2&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
Example:<br>
<br>
To drop ping from the internet, you would need this rule in
/etc/shorewall/rules:<br>
<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp;
fw&nbsp;&nbsp;&nbsp; icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
<h2>Shorewall Versions &gt;= 1.3.14 &nbsp;and &lt; 1.4.0 with
OLD_PING_HANDLING=No in /etc/shorewall/shorewall.conf</h2>
In 1.3.14, Ping handling was put under control of the rules and
policies just like any other connection request. In order to accept
ping requests from zone z1 to zone z2 where the policy for z1 to z2 is
not ACCEPT, you need a rule in /etc/shoreall/rules of the form:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp;
z2&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
Example: <br>
<br>
To permit ping from the local zone to the firewall:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
fw&nbsp;&nbsp;&nbsp; icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
If you would like to accept 'ping' by default even when the relevant
policy is DROP or REJECT, create <b>/etc/shorewall/icmpdef </b>if it
doesn't already exist and in that file place the following command:<br>
<blockquote>
<pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre>
</blockquote>
With that rule in place, if you want to ignore 'ping' from z1 to z2
then you need a rule of the form:<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp;
z2&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
Example:<br>
<br>
To drop ping from the internet, you would need this rule in
/etc/shorewall/rules:<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp;
fw&nbsp;&nbsp;&nbsp; icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote>
<span style="font-weight: bold;">NOTE:&nbsp; </span>There is one
exception to the above description. In 1.3.14 and 1.3.14a, ping from
the firewall itself is enabled unconditionally. This suprising
"feature" was removed in version 1.4.0.<br>
<blockquote> </blockquote>
<blockquote> </blockquote>
<h2>Shorewall Versions &lt; 1.3.14 or with OLD_PING_HANDLING=Yes in
/etc/shorewall/shorewall.conf<br>
</h2>
There are several aspects to the old Shorewall Ping management:<br>
<ol>
<li>The <b>noping</b> and <b>filterping </b>interface options in <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
<li>The <b>FORWARDPING</b> option in<a href="Documentation.htm#Conf">
/etc/shorewall/shorewall.conf</a>.</li>
<li>Explicit rules in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
</ol>
There are two cases to consider:<br>
<ol>
<li>Ping requests addressed to the firewall itself; and</li>
<li>Ping requests being forwarded to another system. Included here
are all cases of packet forwarding including NAT, DNAT rule, Proxy ARP
and simple routing.</li>
</ol>
These cases will be covered separately.<br>
<h3>Ping Requests Addressed to the Firewall Itself</h3>
For ping requests addressed to the firewall, the sequence is as follows:<br>
<ol>
<li>If neither <b>noping</b> nor <b>filterping </b>are specified
for the interface that receives the ping request then the request will
be responded to with an ICMP echo-reply.</li>
<li>If <b>noping</b> is specified for the interface that receives
the ping request then the request is ignored.</li>
<li>If <b>filterping </b>is specified for the interface then the
request is passed to the rules/policy evaluation.</li>
</ol>
<h3>Ping Requests Forwarded by the Firewall</h3>
These requests are <b>always</b> passed to rules/policy evaluation.<br>
<h3>Rules Evaluation</h3>
Ping requests are ICMP type 8. So the general rule format is:<br>
<br>
&nbsp;&nbsp;&nbsp; <i>Target&nbsp;&nbsp;&nbsp;
Source&nbsp;&nbsp;&nbsp; Destination&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp;
8<br>
<br>
Example 1. Accept pings from the net to the dmz (pings are responded to
with an ICMP echo-reply):<br>
<br>
&nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp;
dmz&nbsp;&nbsp;&nbsp; icmp&nbsp;&nbsp;&nbsp; 8<br>
<br>
Example 2. Drop pings from the net to the firewall<br>
<br>
&nbsp;&nbsp;&nbsp; DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp;
fw&nbsp;&nbsp;&nbsp; icmp&nbsp;&nbsp;&nbsp; 8<br>
<h3>Policy Evaluation</h3>
If no applicable rule is found, then the policy for the source to
the destination is applied.<br>
<ol>
<li>If the relevant policy is ACCEPT then the request is responded to
with an ICMP echo-reply.</li>
<li>If <b>FORWARDPING</b> is set to Yes in
/etc/shorewall/shorewall.conf then the request is responded to with an
ICMP echo-reply.</li>
<li>Otherwise, the relevant REJECT or DROP policy is used and the
request is either rejected or simply ignored.</li>
</ol>
<div style="text-align: justify;"><font size="2">Updated 8/23/2003 - <a
href="support.htm">Tom Eastep</a></font></div>
<p><font size="2"> </font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
</body>
</html>

681
Shorewall-docs/ping.xml Normal file
View File

@ -0,0 +1,681 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article>
<!--$Id$-->
<articleinfo>
<title>ICMP Echo-request (Ping)</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate>2003-08-23</pubdate>
<copyright>
<year>2001-2003</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<note>
<para>Shorewall &#39;Ping&#39; management has evolved over time with the
latest change coming in Shorewall version 1.4.0. To find out which version
of Shorewall you are running, at a shell prompt type &#34;/sbin/shorewall
version&#34;. If that command gives you an error, it&#39;s time to upgrade
since you have a very old version of Shorewall installed (1.2.4 or
earlier).</para>
</note>
<section>
<title>Shorewall Versions &#62;= 1.4.0</title>
<para>In Shoreall 1.4.0 and later version, ICMP echo-request&#39;s are
treated just like any other connection request.</para>
<para>In order to accept ping requests from zone z1 to zone z2 where the
policy for z1 to z2 is not ACCEPT, you need a rule in /etc/shoreall/rules
of the form:</para>
<informaltable>
<tgroup cols="7">
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT(S)</entry>
<entry align="center">SOURCE PORT(S)</entry>
<entry align="center">ORIGINAL DEST</entry>
</row>
</thead>
<tbody>
<row>
<entry>ACCEPT</entry>
<entry>z1</entry>
<entry>z2</entry>
<entry>icmp</entry>
<entry>8</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<example>
<title>Ping from local zone to firewall</title>
<para>To permit ping from the local zone to the firewall:</para>
<informaltable>
<tgroup cols="7">
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT(S)</entry>
<entry align="center">SOURCE PORT(S)</entry>
<entry align="center">ORIGINAL DEST</entry>
</row>
</thead>
<tbody>
<row>
<entry>ACCEPT</entry>
<entry>loc</entry>
<entry>fw</entry>
<entry>icmp</entry>
<entry>8</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
</example>
<para>If you would like to accept &#39;ping&#39; by default even when the
relevant policy is DROP or REJECT, create /etc/shorewall/icmpdef if it
doesn&#39;t already exist and in that file place the following command:</para>
<programlisting> run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT</programlisting>
<para>With that rule in place, if you want to ignore &#39;ping&#39; from
z1 to z2 then you need a rule of the form:</para>
<informaltable>
<tgroup cols="7">
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT(S)</entry>
<entry align="center">SOURCE PORT(S)</entry>
<entry align="center">ORIGINAL DEST</entry>
</row>
</thead>
<tbody>
<row>
<entry>DROP</entry>
<entry>z1</entry>
<entry>z2</entry>
<entry>icmp</entry>
<entry>8</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<example>
<title>Silently drop pings from the Internet</title>
<para>To drop ping from the internet, you would need this rule in
/etc/shorewall/rules:</para>
<informaltable>
<tgroup cols="7">
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT(S)</entry>
<entry align="center">SOURCE PORT(S)</entry>
<entry align="center">ORIGINAL DEST</entry>
</row>
</thead>
<tbody>
<row>
<entry>DROP</entry>
<entry>net</entry>
<entry>fw</entry>
<entry>icmp</entry>
<entry>8</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
</example>
<para>Note that the above rule may be used without any additions to
/etc/shorewall/icmpdef to prevent your log from being flooded by messages
generated from remote pinging.</para>
</section>
<section>
<title>Shorewall Versions &#62;= 1.3.14 and &#60; 1.4.0 with
OLD_PING_HANDLING=No in /etc/shorewall/shorewall.conf</title>
<para>In 1.3.14, Ping handling was put under control of the rules and
policies just like any other connection request. In order to accept ping
requests from zone z1 to zone z2 where the policy for z1 to z2 is not
ACCEPT, you need a rule in /etc/shoreall/rules of the form:</para>
<informaltable>
<tgroup cols="7">
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT(S)</entry>
<entry align="center">SOURCE PORT(S)</entry>
<entry align="center">ORIGINAL DEST</entry>
</row>
</thead>
<tbody>
<row>
<entry>ACCEPT</entry>
<entry>z1</entry>
<entry>z2</entry>
<entry>icmp</entry>
<entry>8</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<example>
<title>Ping from local zone to firewall</title>
<para>To permit ping from the local zone to the firewall:</para>
<informaltable>
<tgroup cols="7">
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT(S)</entry>
<entry align="center">SOURCE PORT(S)</entry>
<entry align="center">ORIGINAL DEST</entry>
</row>
</thead>
<tbody>
<row>
<entry>ACCEPT</entry>
<entry>loc</entry>
<entry>fw</entry>
<entry>icmp</entry>
<entry>8</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
</example>
<para>If you would like to accept &#39;ping&#39; by default even when the
relevant policy is DROP or REJECT, create /etc/shorewall/icmpdef if it
doesn&#39;t already exist and in that file place the following command:</para>
<programlisting> run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT</programlisting>
<para>With that rule in place, if you want to ignore &#39;ping&#39; from
z1 to z2 then you need a rule of the form:</para>
<informaltable>
<tgroup cols="7">
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT(S)</entry>
<entry align="center">SOURCE PORT(S)</entry>
<entry align="center">ORIGINAL DEST</entry>
</row>
</thead>
<tbody>
<row>
<entry>DROP</entry>
<entry>z1</entry>
<entry>z2</entry>
<entry>icmp</entry>
<entry>8</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<example>
<title>Silently drop pings from the Internet</title>
<para>To drop ping from the internet, you would need this rule in
/etc/shorewall/rules:</para>
<informaltable>
<tgroup cols="7">
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT(S)</entry>
<entry align="center">SOURCE PORT(S)</entry>
<entry align="center">ORIGINAL DEST</entry>
</row>
</thead>
<tbody>
<row>
<entry>DROP</entry>
<entry>net</entry>
<entry>fw</entry>
<entry>icmp</entry>
<entry>8</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
</example>
<para>The above rule may be used without any additions to
/etc/shorewall/icmpdef to prevent your log from being flooded by messages
generated from remote pinging.</para>
<note>
<para>There is one exception to the above description. In 1.3.14 and
1.3.14a, ping from the firewall itself is enabled unconditionally. This
suprising &#34;feature&#34; was removed in version 1.4.0.</para>
</note>
</section>
<section>
<title>Shorewall Versions &#60; 1.3.14 or with OLD_PING_HANDLING=Yes in
/etc/shorewall/shorewall.conf</title>
<para>There are several aspects to the old Shorewall Ping management:</para>
<orderedlist>
<listitem>
<para>The <emphasis role="bold">noping</emphasis> and <emphasis
role="bold">filterping</emphasis> interface options in <ulink
url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink>.</para>
</listitem>
<listitem>
<para>The <emphasis role="bold">FORWARDPING</emphasis> option in
<ulink url="Documentation.htm#Config">/etc/shorewall/shorewall.conf</ulink>.</para>
</listitem>
<listitem>
<para>Explicit rules in <ulink url="Documentation.htm#rules">/etc/shorewall/rules</ulink>.</para>
</listitem>
</orderedlist>
<para>There are two cases to consider:</para>
<orderedlist>
<listitem>
<para>Ping requests addressed to the firewall itself; and</para>
</listitem>
<listitem>
<para>Ping requests being forwarded to another system. Included here
are all cases of packet forwarding including NAT, DNAT rule, Proxy ARP
and simple routing.</para>
</listitem>
</orderedlist>
<para>These cases will be covered separately.</para>
<section>
<title>Ping Requests Addressed to the Firewall Itself</title>
<para>For ping requests addressed to the firewall, the sequence is as
follows:</para>
<orderedlist>
<listitem>
<para>If neither <emphasis role="bold">noping</emphasis> nor
<emphasis role="bold">filterping</emphasis> are specified for the
interface that receives the ping request then the request will be
responded to with an ICMP echo-reply.</para>
</listitem>
<listitem>
<para>If <emphasis role="bold">noping</emphasis> is specified for
the interface that receives the ping request then the request is
ignored.</para>
</listitem>
<listitem>
<para>If <emphasis role="bold">filterping</emphasis> is specified
for the interface then the request is passed to the rules/policy
evaluation.</para>
</listitem>
</orderedlist>
</section>
<section>
<title>Ping Requests Forwarded by the Firewall</title>
<para>These requests are always passed to rules/policy evaluation.</para>
<section>
<title>Rules Evaluation</title>
<para>Ping requests are ICMP type 8. So the general rule format is:</para>
<informaltable>
<tgroup cols="7">
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT(S)</entry>
<entry align="center">SOURCE PORT(S)</entry>
<entry align="center">ORIGINAL DEST</entry>
</row>
</thead>
<tbody>
<row>
<entry>&#60;<emphasis>action</emphasis>&#62;</entry>
<entry>&#60;<emphasis>source</emphasis>&#62;</entry>
<entry>&#60;<emphasis>destination</emphasis>&#62;</entry>
<entry>icmp</entry>
<entry>8</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<example>
<title>Allow ping from DMZ to Net</title>
<para>Example 1. Accept pings from the net to the dmz (pings are
responded to with an ICMP echo-reply):</para>
<informaltable>
<tgroup cols="7">
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT(S)</entry>
<entry align="center">SOURCE PORT(S)</entry>
<entry align="center">ORIGINAL DEST</entry>
</row>
</thead>
<tbody>
<row>
<entry>ACCEPT</entry>
<entry>dmz</entry>
<entry>net</entry>
<entry>icmp</entry>
<entry>8</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
</example>
<example>
<title>Silently drop pings from the Net</title>
<para>Drop pings from the net to the firewall:</para>
<informaltable>
<tgroup cols="7">
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT(S)</entry>
<entry align="center">SOURCE PORT(S)</entry>
<entry align="center">ORIGINAL DEST</entry>
</row>
</thead>
<tbody>
<row>
<entry>DROP</entry>
<entry>net</entry>
<entry>fw</entry>
<entry>icmp</entry>
<entry>8</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
</example>
</section>
<section>
<title>Policy Evaluation</title>
<para>If no applicable rule is found, then the policy for the source
to the destination is applied.</para>
<orderedlist>
<listitem>
<para>If the relevant policy is ACCEPT then the request is
responded to with an ICMP echo-reply.</para>
</listitem>
<listitem>
<para>If <emphasis role="bold">FORWARDPING</emphasis> is set to
Yes in /etc/shorewall/shorewall.conf then the request is responded
to with an ICMP echo-reply.</para>
</listitem>
<listitem>
<para>Otherwise, the relevant REJECT or DROP policy is used and
the request is either rejected or simply ignored.</para>
</listitem>
</orderedlist>
</section>
</section>
</section>
</article>