<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>ICMP Echo-request (Ping)</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">ICMP Echo-request (Ping)</font></h1>
</td>
</tr>
</tbody>
</table>
<br>
Shorewall 'Ping' management has evolved over time in a less than consistant
way. This page describes how it now works.<br>
<br>
There are several aspects to Shorewall Ping management:<br>
<ol>
<li>The <b>noping</b> and <b>filterping </b>interface options in <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
<li>The <b>FORWARDPING</b> option in<a
href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf</a>.</li>
<li>Explicit rules in <a
href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
</ol>
There are two cases to consider:<br>
<ol>
<li>Ping requests addressed to the firewall itself; and</li>
<li>Ping requests being forwarded to another system. Included here are
all cases of packet forwarding including NAT, DNAT rule, Proxy ARP and simple
routing.</li>
</ol>
These cases will be covered separately.<br>
<h2>Ping Requests Addressed to the Firewall Itself</h2>
For ping requests addressed to the firewall, the sequence is as follows:<br>
<ol>
<li>If neither <b>noping</b> nor <b>filterping </b>are specified for the
interface that receives the ping request then the request will be responded
to with an ICMP echo-reply.</li>
<li>If <b>noping</b> is specified for the interface that receives the ping
request then the request is ignored.</li>
<li>If <b>filterping </b>is specified for the interface then the request
is passed to the rules/policy evaluation.</li>
</ol>
<h2>Ping Requests Forwarded by the Firewall</h2>
These requests are <b>always</b> passed to rules/policy evaluation.<br>
<h2>Rules Evaluation</h2>
Ping requests are ICMP type 8. So the general rule format is:<br>
<br>
<i>Target Source Destination
</i>icmp 8<br>
<br>
Example 1. Accept pings from the net to the dmz (pings are responded to with
an ICMP echo-reply):<br>
<br>
ACCEPT net dmz
icmp 8<br>
<br>
Example 2. Drop pings from the net to the firewall<br>
<br>
DROP net fw
icmp 8<br>
<h2>Policy Evaluation</h2>
If no applicable rule is found, then the policy for the source to the destination
is applied.<br>
<ol>
<li>If the relevant policy is ACCEPT then the request is responded to with
an ICMP echo-reply.</li>
<li>If <b>FORWARDPING</b> is set to Yes in /etc/shorewall/shorewall.conf
then the request is responded to with an ICMP echo-reply.</li>
<li>Otherwise, the relevant REJECT or DROP policy is used and the request
is either rejected or simply ignored.</li>
</ol>
<p><font size="2">Updated 12/13/2002 - <a
href="support.htm">Tom Eastep</a> </font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<br>
</body>
</html>