1

I'm configuring shorewall on a server, and things are going well so far. However, there is one thing I am wondering about. The 'rules' file has, among others, the following lines:

#
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
#

Ping(DROP)      net             $FW

ACCEPT          $FW             loc             icmp
ACCEPT          $FW             net             icmp

As far as I understand, the two last lines allow the firewall to ping machines on both the local network and the internet. However, it also seems that the 4th line from the bottom drops pings from the internet. All lines seems to relate to pinging. However, is ACCEPT [...] icmp different from Ping(DROP), or could it have been written (i've changed the 4th line from the bottom) as I've done below?

#
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
#

DROP            net             $FW             icmp

ACCEPT          $FW             loc             icmp
ACCEPT          $FW             net             icmp

All hints appreciated!

Wesley
  • 32,320
  • 9
  • 80
  • 116
sbrattla
  • 1,456
  • 3
  • 26
  • 48

1 Answers1

1

The file /usr/share/shorewall/macro.Ping tells you what you want to know.

"Ping(DROP)" invokes the Ping Shorewall macro. In this case, we see that it affects ICMP destined for port 8 (remember that ICMP does more than just ping). To rewrite it, you would have to add that destination port 8 to the end of your rule, but otherwise you've got it.

Take a look at some of the other macro.* files in that directory, too -- the ping macro is trivial, but some of the others get quite a bit more complicated, and thus more effectively demonstrate the utility of macros in Shorewall configs.

Kromey
  • 3,621
  • 4
  • 24
  • 30
  • Just to get it right...is a ping "travelling" on the ICMP protocol and its destination port always 8? – sbrattla Oct 05 '11 at 20:08
  • Strictly speaking, ICMP doesn't use ports, but rather "types". ICMP type 8 (which is what you're seeing here) is "Echo Request", i.e. the outbound packet of a ping; the destination will send an ICMP type 0 ("Echo Reply") packet in response. (Note that you don't have to allow ICMP 0, as Shorewall/iptables will recognize that it's a response to the allowed ICMP 8 that was sent.) Wikipedia has some great info on ICMP: http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol – Kromey Oct 05 '11 at 20:19
  • So to be clear, the ping isn't really "traveling" per se on ICMP, but rather a ping *is* the combination of ICMP types 8 and 0, and your ping utility measure the time between sending the type 8 packet and receiving the type 0 packet (or notes the lost packet if no type 0 is received). This glosses over quite a few technical details, but should be sufficient for anything except writing your very own ping tool. – Kromey Oct 05 '11 at 20:22