[Shorewall-users] Silently drop ping.

David T Hollis dhollis at davehollis.com
Mon Dec 15 12:39:18 PST 2003


On Mon, 2003-12-15 at 11:18, Francesca C. Smith wrote:
> Hello,
> 
> 
> > I want to drop ICMP traffic but without logging it.  I have looked at
> > the FAQ on ping and understand that I can just set up a rule to do so.
> > Is there an already existing rule for ping somewhere in the
> > configuration I should modify or by placing a new ping rule in my
> > 'rules' it will override the default behavior of logging 
> > 
> 
> DROP	net	fw	icmp
> 
> Francesca

Not sure if you forgot the '8' part or not.  What I use is:
DROP	net	$FW	icmp	8

Which drops the echo-requests.  You don't want to drop all icmp or you
will lose the helpful stuff like host/port unreachable, etc.

Additionally, if you want internal hosts to be able to ping the
firewall, just add
ACCEPT	 loc	$FW	icmp	8




More information about the Shorewall-users mailing list