forked from extern/shorewall_code
f04d58006f
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@402 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
91 lines
3.5 KiB
HTML
91 lines
3.5 KiB
HTML
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
<html>
|
|
<head>
|
|
<title>ICMP Echo-request (Ping)</title>
|
|
<meta http-equiv="content-type"
|
|
content="text/html; charset=ISO-8859-1">
|
|
<meta name="author" content="Tom Eastep">
|
|
</head>
|
|
<body>
|
|
<table border="0" cellpadding="0" cellspacing="0"
|
|
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
|
id="AutoNumber1" bgcolor="#400169" height="90">
|
|
<tbody>
|
|
<tr>
|
|
<td width="100%">
|
|
<h1 align="center"><font color="#ffffff">ICMP Echo-request (Ping)</font></h1>
|
|
</td>
|
|
</tr>
|
|
|
|
</tbody>
|
|
</table>
|
|
<br>
|
|
Shorewall 'Ping' management has evolved over time in a less than consistant
|
|
way. This page describes how it now works.<br>
|
|
<br>
|
|
There are several aspects to Shorewall Ping management:<br>
|
|
<ol>
|
|
<li>The <b>noping</b> and <b>filterping </b>interface options in <a
|
|
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
|
|
<li>The <b>FORWARDPING</b> option in<a
|
|
href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf</a>.</li>
|
|
<li>Explicit rules in <a
|
|
href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
|
|
</ol>
|
|
There are two cases to consider:<br>
|
|
<ol>
|
|
<li>Ping requests addressed to the firewall itself; and</li>
|
|
<li>Ping requests being forwarded to another system. Included here are
|
|
all cases of packet forwarding including NAT, DNAT rule, Proxy ARP and simple
|
|
routing.</li>
|
|
</ol>
|
|
These cases will be covered separately.<br>
|
|
<h2>Ping Requests Addressed to the Firewall Itself</h2>
|
|
For ping requests addressed to the firewall, the sequence is as follows:<br>
|
|
<ol>
|
|
<li>If neither <b>noping</b> nor <b>filterping </b>are specified for the
|
|
interface that receives the ping request then the request will be responded
|
|
to with an ICMP echo-reply.</li>
|
|
<li>If <b>noping</b> is specified for the interface that receives the ping
|
|
request then the request is ignored.</li>
|
|
<li>If <b>filterping </b>is specified for the interface then the request
|
|
is passed to the rules/policy evaluation.</li>
|
|
</ol>
|
|
<h2>Ping Requests Forwarded by the Firewall</h2>
|
|
These requests are <b>always</b> passed to rules/policy evaluation.<br>
|
|
<h2>Rules Evaluation</h2>
|
|
Ping requests are ICMP type 8. So the general rule format is:<br>
|
|
<br>
|
|
<i>Target Source Destination
|
|
</i>icmp 8<br>
|
|
<br>
|
|
Example 1. Accept pings from the net to the dmz (pings are responded to with
|
|
an ICMP echo-reply):<br>
|
|
<br>
|
|
ACCEPT net dmz
|
|
icmp 8<br>
|
|
<br>
|
|
Example 2. Drop pings from the net to the firewall<br>
|
|
<br>
|
|
DROP net fw
|
|
icmp 8<br>
|
|
<h2>Policy Evaluation</h2>
|
|
If no applicable rule is found, then the policy for the source to the destination
|
|
is applied.<br>
|
|
<ol>
|
|
<li>If the relevant policy is ACCEPT then the request is responded to with
|
|
an ICMP echo-reply.</li>
|
|
<li>If <b>FORWARDPING</b> is set to Yes in /etc/shorewall/shorewall.conf
|
|
then the request is responded to with an ICMP echo-reply.</li>
|
|
<li>Otherwise, the relevant REJECT or DROP policy is used and the request
|
|
is either rejected or simply ignored.</li>
|
|
</ol>
|
|
<p><font size="2">Updated 12/13/2002 - <a
|
|
href="support.htm">Tom Eastep</a> </font></p>
|
|
|
|
<p><a href="copyright.htm"><font size="2">Copyright</font>
|
|
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
|
|
<br>
|
|
</body>
|
|
</html>
|