holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Add traceroute note

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1051 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-01-03 23:03:14 +00:00
parent 9ca64face0
commit ea95a311c8
1 changed files with 44 additions and 440 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

484
Shorewall-docs/ping.xml
View File

@ -2,8 +2,6 @@
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article> <article>
<!--$Id$-->
<articleinfo> <articleinfo>
<title>ICMP Echo-request (Ping)</title> <title>ICMP Echo-request (Ping)</title>
@ -15,10 +13,10 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2003-08-23</pubdate> <pubdate>2004-01-03</pubdate>
<copyright> <copyright>
<year>2001-2003</year> <year>2001-2004</year>
<holder>Thomas M. Eastep</holder> <holder>Thomas M. Eastep</holder>
</copyright> </copyright>
@ -37,9 +35,15 @@
<para>Shorewall <quote>Ping</quote> management has evolved over time with <para>Shorewall <quote>Ping</quote> management has evolved over time with
the latest change coming in Shorewall version 1.4.0. To find out which the latest change coming in Shorewall version 1.4.0. To find out which
version of Shorewall you are running, at a shell prompt type version of Shorewall you are running, at a shell prompt type
<quote>/sbin/shorewall version</quote>. If that command gives you an <quote><command>/sbin/shorewall version</command></quote>. If that command
error, it&#39;s time to upgrade since you have a very old version of gives you an error, it&#39;s time to upgrade since you have a very old
Shorewall installed (1.2.4 or earlier).</para> version of Shorewall installed (1.2.4 or earlier).</para>
</note>
<note>
<para>Enabling <quote>ping</quote> will also enable ICMP-based
<emphasis>traceroute</emphasis>. For UDP-based traceroute, see the <ulink
url="ports.htm">port information page</ulink>.</para>
</note> </note>
<section> <section>
@ -52,140 +56,29 @@
policy for z1 to z2 is not ACCEPT, you need a rule in /etc/shoreall/rules policy for z1 to z2 is not ACCEPT, you need a rule in /etc/shoreall/rules
of the form:</para> of the form:</para>
<informaltable> <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<tgroup cols="7"> ACCEPT z1 z2 icmp 8</programlisting>
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT(S)</entry>
<entry align="center">SOURCE PORT(S)</entry>
<entry align="center">ORIGINAL DEST</entry>
</row>
</thead>
<tbody>
<row>
<entry>ACCEPT</entry>
<entry>z1</entry>
<entry>z2</entry>
<entry>icmp</entry>
<entry>8</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<example> <example>
<title>Ping from local zone to firewall</title> <title>Ping from local zone to firewall</title>
<para>To permit ping from the local zone to the firewall:</para> <para>To permit ping from the local zone to the firewall:</para>
<informaltable> <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<tgroup cols="7"> ACCEPT loc fw icmp 8</programlisting>
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT(S)</entry>
<entry align="center">SOURCE PORT(S)</entry>
<entry align="center">ORIGINAL DEST</entry>
</row>
</thead>
<tbody>
<row>
<entry>ACCEPT</entry>
<entry>loc</entry>
<entry>fw</entry>
<entry>icmp</entry>
<entry>8</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
</example> </example>
<para>If you would like to accept <quote>ping</quote> by default even when <para>If you would like to accept <quote>ping</quote> by default even when
the relevant policy is DROP or REJECT, create /etc/shorewall/icmpdef if it the relevant policy is DROP or REJECT, create /etc/shorewall/icmpdef if it
doesn&#39;t already exist and in that file place the following command:</para> doesn&#39;t already exist and in that file place the following command:</para>
<programlisting> run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT</programlisting> <programlisting>run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT</programlisting>
<para>With that rule in place, if you want to ignore <quote>ping</quote> <para>With that rule in place, if you want to ignore <quote>ping</quote>
from z1 to z2 then you need a rule of the form:</para> from z1 to z2 then you need a rule of the form:</para>
<informaltable> <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<tgroup cols="7"> DROP z1 z2 icmp 8</programlisting>
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT(S)</entry>
<entry align="center">SOURCE PORT(S)</entry>
<entry align="center">ORIGINAL DEST</entry>
</row>
</thead>
<tbody>
<row>
<entry>DROP</entry>
<entry>z1</entry>
<entry>z2</entry>
<entry>icmp</entry>
<entry>8</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<example> <example>
<title>Silently drop pings from the Internet</title> <title>Silently drop pings from the Internet</title>
@ -193,45 +86,8 @@
<para>To drop ping from the internet, you would need this rule in <para>To drop ping from the internet, you would need this rule in
/etc/shorewall/rules:</para> /etc/shorewall/rules:</para>
<informaltable> <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<tgroup cols="7"> DROP net fw icmp 8</programlisting>
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT(S)</entry>
<entry align="center">SOURCE PORT(S)</entry>
<entry align="center">ORIGINAL DEST</entry>
</row>
</thead>
<tbody>
<row>
<entry>DROP</entry>
<entry>net</entry>
<entry>fw</entry>
<entry>icmp</entry>
<entry>8</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
</example> </example>
<para>Note that the above rule may be used without any additions to <para>Note that the above rule may be used without any additions to
@ -248,140 +104,29 @@
requests from zone z1 to zone z2 where the policy for z1 to z2 is not requests from zone z1 to zone z2 where the policy for z1 to z2 is not
ACCEPT, you need a rule in /etc/shoreall/rules of the form:</para> ACCEPT, you need a rule in /etc/shoreall/rules of the form:</para>
<informaltable> <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<tgroup cols="7"> ACCEPT z1 z2 icmp 8</programlisting>
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT(S)</entry>
<entry align="center">SOURCE PORT(S)</entry>
<entry align="center">ORIGINAL DEST</entry>
</row>
</thead>
<tbody>
<row>
<entry>ACCEPT</entry>
<entry>z1</entry>
<entry>z2</entry>
<entry>icmp</entry>
<entry>8</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<example> <example>
<title>Ping from local zone to firewall</title> <title>Ping from local zone to firewall</title>
<para>To permit ping from the local zone to the firewall:</para> <para>To permit ping from the local zone to the firewall:</para>
<informaltable> <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<tgroup cols="7"> ACCEPT loc fw icmp 8</programlisting>
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT(S)</entry>
<entry align="center">SOURCE PORT(S)</entry>
<entry align="center">ORIGINAL DEST</entry>
</row>
</thead>
<tbody>
<row>
<entry>ACCEPT</entry>
<entry>loc</entry>
<entry>fw</entry>
<entry>icmp</entry>
<entry>8</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
</example> </example>
<para>If you would like to accept <quote>ping</quote> by default even when <para>If you would like to accept <quote>ping</quote> by default even when
the relevant policy is DROP or REJECT, create /etc/shorewall/icmpdef if it the relevant policy is DROP or REJECT, create /etc/shorewall/icmpdef if it
doesn&#39;t already exist and in that file place the following command:</para> doesn&#39;t already exist and in that file place the following command:</para>
<programlisting> run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT</programlisting> <programlisting>run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT</programlisting>
<para>With that rule in place, if you want to ignore <quote>ping</quote> <para>With that rule in place, if you want to ignore <quote>ping</quote>
from z1 to z2 then you need a rule of the form:</para> from z1 to z2 then you need a rule of the form:</para>
<informaltable> <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<tgroup cols="7"> DROP z1 z2 icmp 8</programlisting>
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT(S)</entry>
<entry align="center">SOURCE PORT(S)</entry>
<entry align="center">ORIGINAL DEST</entry>
</row>
</thead>
<tbody>
<row>
<entry>DROP</entry>
<entry>z1</entry>
<entry>z2</entry>
<entry>icmp</entry>
<entry>8</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<example> <example>
<title>Silently drop pings from the Internet</title> <title>Silently drop pings from the Internet</title>
@ -389,45 +134,8 @@
<para>To drop ping from the internet, you would need this rule in <para>To drop ping from the internet, you would need this rule in
/etc/shorewall/rules:</para> /etc/shorewall/rules:</para>
<informaltable> <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<tgroup cols="7"> DROP net fw icmp 8</programlisting>
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT(S)</entry>
<entry align="center">SOURCE PORT(S)</entry>
<entry align="center">ORIGINAL DEST</entry>
</row>
</thead>
<tbody>
<row>
<entry>DROP</entry>
<entry>net</entry>
<entry>fw</entry>
<entry>icmp</entry>
<entry>8</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
</example> </example>
<para>The above rule may be used without any additions to <para>The above rule may be used without any additions to
@ -518,91 +226,16 @@
<para>Ping requests are ICMP type 8. So the general rule format is:</para> <para>Ping requests are ICMP type 8. So the general rule format is:</para>
<informaltable> <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<tgroup cols="7"> <emphasis>&#60;action&#62;</emphasis> <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> icmp 8</programlisting>
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT(S)</entry>
<entry align="center">SOURCE PORT(S)</entry>
<entry align="center">ORIGINAL DEST</entry>
</row>
</thead>
<tbody>
<row>
<entry>&#60;<emphasis>action</emphasis>&#62;</entry>
<entry>&#60;<emphasis>source</emphasis>&#62;</entry>
<entry>&#60;<emphasis>destination</emphasis>&#62;</entry>
<entry>icmp</entry>
<entry>8</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<example> <example>
<title>Allow ping from DMZ to Net</title> <title>Allow ping from DMZ to Net</title>
<para>Example 1. Accept pings from the net to the dmz (pings are <para>Example 1. Accept pings from the dmz to the net:</para>
responded to with an ICMP echo-reply):</para>
<informaltable> <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<tgroup cols="7"> ACCEPT dmz net icmp 8</programlisting>
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT(S)</entry>
<entry align="center">SOURCE PORT(S)</entry>
<entry align="center">ORIGINAL DEST</entry>
</row>
</thead>
<tbody>
<row>
<entry>ACCEPT</entry>
<entry>dmz</entry>
<entry>net</entry>
<entry>icmp</entry>
<entry>8</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
</example> </example>
<example> <example>
@ -610,45 +243,8 @@
<para>Drop pings from the net to the firewall:</para> <para>Drop pings from the net to the firewall:</para>
<informaltable> <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
<tgroup cols="7"> DROP net fw icmp 8</programlisting>
<thead>
<row>
<entry align="center">ACTION</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT(S)</entry>
<entry align="center">SOURCE PORT(S)</entry>
<entry align="center">ORIGINAL DEST</entry>
</row>
</thead>
<tbody>
<row>
<entry>DROP</entry>
<entry>net</entry>
<entry>fw</entry>
<entry>icmp</entry>
<entry>8</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</informaltable>
</example> </example>
</section> </section>
@ -678,4 +274,12 @@
</section> </section>
</section> </section>
</section> </section>
<appendix>
<title>Revision History</title>
<para><revhistory><revision><revnumber>1.2</revnumber><date>2004-01-03</date><authorinitials>TE</authorinitials><revremark>Add
traceroute reference</revremark></revision><revision><revnumber>1.1</revnumber><date>2003-08-23</date><authorinitials>TE</authorinitials><revremark>Initial
version converted to Docbook XML</revremark></revision></revhistory></para>
</appendix>
</article> </article>