Shorewall 'Ping' management has evolved over time in a less than consistant
way. This page describes how it now works.
There are several aspects to Shorewall Ping management:
- The noping and filterping interface options in /etc/shorewall/interfaces.
- The FORWARDPING option in /etc/shorewall/shorewall.conf.
- Explicit rules in /etc/shorewall/rules.
There are two cases to consider:
- Ping requests addressed to the firewall itself; and
- Ping requests being forwarded to another system. Included here are
all cases of packet forwarding including NAT, DNAT rule, Proxy ARP and simple
routing.
These cases will be covered separately.
Ping Requests Addressed to the Firewall Itself
For ping requests addressed to the firewall, the sequence is as follows:
- If neither noping nor filterping are specified for the
interface that receives the ping request then the request will be responded
to with an ICMP echo-reply.
- If noping is specified for the interface that receives the ping
request then the request is ignored.
- If filterping is specified for the interface then the request
is passed to the rules/policy evaluation.
Ping Requests Forwarded by the Firewall
These requests are always passed to rules/policy evaluation.
Rules Evaluation
Ping requests are ICMP type 8. So the general rule format is:
Target Source Destination
icmp 8
Example 1. Accept pings from the net to the dmz (pings are responded to with
an ICMP echo-reply):
ACCEPT net dmz
icmp 8
Example 2. Drop pings from the net to the firewall
DROP net fw
icmp 8
Policy Evaluation
If no applicable rule is found, then the policy for the source to the destination
is applied.
- If the relevant policy is ACCEPT then the request is responded to with
an ICMP echo-reply.
- If FORWARDPING is set to Yes in /etc/shorewall/shorewall.conf
then the request is responded to with an ICMP echo-reply.
- Otherwise, the relevant REJECT or DROP policy is used and the request
is either rejected or simply ignored.
Updated 12/13/2002 - Tom Eastep
Copyright
© 2001, 2002 Thomas M. Eastep.