diff --git a/Shorewall-docs/ping.xml b/Shorewall-docs/ping.xml index cda70ebbc..2d6822ad8 100644 --- a/Shorewall-docs/ping.xml +++ b/Shorewall-docs/ping.xml @@ -2,8 +2,6 @@
- - ICMP Echo-request (Ping) @@ -15,10 +13,10 @@ - 2003-08-23 + 2004-01-03 - 2001-2003 + 2001-2004 Thomas M. Eastep @@ -37,9 +35,15 @@ Shorewall Ping management has evolved over time with the latest change coming in Shorewall version 1.4.0. To find out which version of Shorewall you are running, at a shell prompt type - /sbin/shorewall version. If that command gives you an - error, it's time to upgrade since you have a very old version of - Shorewall installed (1.2.4 or earlier). + /sbin/shorewall version. If that command + gives you an error, it's time to upgrade since you have a very old + version of Shorewall installed (1.2.4 or earlier). + + + + Enabling ping will also enable ICMP-based + traceroute. For UDP-based traceroute, see the port information page.
@@ -52,140 +56,29 @@ policy for z1 to z2 is not ACCEPT, you need a rule in /etc/shoreall/rules of the form: - - - - - ACTION - - SOURCE - - DESTINATION - - PROTOCOL - - PORT(S) - - SOURCE PORT(S) - - ORIGINAL DEST - - - - - - ACCEPT - - z1 - - z2 - - icmp - - 8 - - - - - - - - + #ACTION SOURCE DEST PROTO DEST PORT(S) +ACCEPT z1 z2 icmp 8 Ping from local zone to firewall To permit ping from the local zone to the firewall: - - - - - ACTION - - SOURCE - - DESTINATION - - PROTOCOL - - PORT(S) - - SOURCE PORT(S) - - ORIGINAL DEST - - - - - - ACCEPT - - loc - - fw - - icmp - - 8 - - - - - - - - + #ACTION SOURCE DEST PROTO DEST PORT(S) +ACCEPT loc fw icmp 8 If you would like to accept ping by default even when the relevant policy is DROP or REJECT, create /etc/shorewall/icmpdef if it doesn't already exist and in that file place the following command: - run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT + run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT With that rule in place, if you want to ignore ping from z1 to z2 then you need a rule of the form: - - - - - ACTION - - SOURCE - - DESTINATION - - PROTOCOL - - PORT(S) - - SOURCE PORT(S) - - ORIGINAL DEST - - - - - - DROP - - z1 - - z2 - - icmp - - 8 - - - - - - - - + #ACTION SOURCE DEST PROTO DEST PORT(S) +DROP z1 z2 icmp 8 Silently drop pings from the Internet @@ -193,45 +86,8 @@ To drop ping from the internet, you would need this rule in /etc/shorewall/rules: - - - - - ACTION - - SOURCE - - DESTINATION - - PROTOCOL - - PORT(S) - - SOURCE PORT(S) - - ORIGINAL DEST - - - - - - DROP - - net - - fw - - icmp - - 8 - - - - - - - - + #ACTION SOURCE DEST PROTO DEST PORT(S) +DROP net fw icmp 8 Note that the above rule may be used without any additions to @@ -248,140 +104,29 @@ requests from zone z1 to zone z2 where the policy for z1 to z2 is not ACCEPT, you need a rule in /etc/shoreall/rules of the form: - - - - - ACTION - - SOURCE - - DESTINATION - - PROTOCOL - - PORT(S) - - SOURCE PORT(S) - - ORIGINAL DEST - - - - - - ACCEPT - - z1 - - z2 - - icmp - - 8 - - - - - - - - + #ACTION SOURCE DEST PROTO DEST PORT(S) +ACCEPT z1 z2 icmp 8 Ping from local zone to firewall To permit ping from the local zone to the firewall: - - - - - ACTION - - SOURCE - - DESTINATION - - PROTOCOL - - PORT(S) - - SOURCE PORT(S) - - ORIGINAL DEST - - - - - - ACCEPT - - loc - - fw - - icmp - - 8 - - - - - - - - + #ACTION SOURCE DEST PROTO DEST PORT(S) +ACCEPT loc fw icmp 8 If you would like to accept ping by default even when the relevant policy is DROP or REJECT, create /etc/shorewall/icmpdef if it doesn't already exist and in that file place the following command: - run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT + run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT With that rule in place, if you want to ignore ping from z1 to z2 then you need a rule of the form: - - - - - ACTION - - SOURCE - - DESTINATION - - PROTOCOL - - PORT(S) - - SOURCE PORT(S) - - ORIGINAL DEST - - - - - - DROP - - z1 - - z2 - - icmp - - 8 - - - - - - - - + #ACTION SOURCE DEST PROTO DEST PORT(S) +DROP z1 z2 icmp 8 Silently drop pings from the Internet @@ -389,45 +134,8 @@ To drop ping from the internet, you would need this rule in /etc/shorewall/rules: - - - - - ACTION - - SOURCE - - DESTINATION - - PROTOCOL - - PORT(S) - - SOURCE PORT(S) - - ORIGINAL DEST - - - - - - DROP - - net - - fw - - icmp - - 8 - - - - - - - - + #ACTION SOURCE DEST PROTO DEST PORT(S) +DROP net fw icmp 8 The above rule may be used without any additions to @@ -518,91 +226,16 @@ Ping requests are ICMP type 8. So the general rule format is: - - - - - ACTION - - SOURCE - - DESTINATION - - PROTOCOL - - PORT(S) - - SOURCE PORT(S) - - ORIGINAL DEST - - - - - - <action> - - <source> - - <destination> - - icmp - - 8 - - - - - - - - + #ACTION SOURCE DEST PROTO DEST PORT(S) +<action> <source> <destination> icmp 8 Allow ping from DMZ to Net - Example 1. Accept pings from the net to the dmz (pings are - responded to with an ICMP echo-reply): + Example 1. Accept pings from the dmz to the net: - - - - - ACTION - - SOURCE - - DESTINATION - - PROTOCOL - - PORT(S) - - SOURCE PORT(S) - - ORIGINAL DEST - - - - - - ACCEPT - - dmz - - net - - icmp - - 8 - - - - - - - - + #ACTION SOURCE DEST PROTO DEST PORT(S) +ACCEPT dmz net icmp 8 @@ -610,45 +243,8 @@ Drop pings from the net to the firewall: - - - - - ACTION - - SOURCE - - DESTINATION - - PROTOCOL - - PORT(S) - - SOURCE PORT(S) - - ORIGINAL DEST - - - - - - DROP - - net - - fw - - icmp - - 8 - - - - - - - - + #ACTION SOURCE DEST PROTO DEST PORT(S) +DROP net fw icmp 8
@@ -678,4 +274,12 @@ + + + Revision History + + 1.22004-01-03TEAdd + traceroute reference1.12003-08-23TEInitial + version converted to Docbook XML +
\ No newline at end of file