[Shorewall-users] Silently drop ping.

Francesca C. Smith fsmith at ladylinux.com
Mon Dec 15 12:55:24 PST 2003


Hello,

ICMP echo has taken on a whole new Irritating life in the days since
blaster .. Its not just 8 anymore .. But yes .. I do get your point .. 

Francesca
On Mon, 2003-12-15 at 12:39, David T Hollis wrote:
> On Mon, 2003-12-15 at 11:18, Francesca C. Smith wrote:
> > Hello,
> > 
> > 
> > > I want to drop ICMP traffic but without logging it.  I have looked at
> > > the FAQ on ping and understand that I can just set up a rule to do so.
> > > Is there an already existing rule for ping somewhere in the
> > > configuration I should modify or by placing a new ping rule in my
> > > 'rules' it will override the default behavior of logging 
> > > 
> > 
> > DROP	net	fw	icmp
> > 
> > Francesca
> 
> Not sure if you forgot the '8' part or not.  What I use is:
> DROP	net	$FW	icmp	8
> 
> Which drops the echo-requests.  You don't want to drop all icmp or you
> will lose the helpful stuff like host/port unreachable, etc.
> 
> Additionally, if you want internal hosts to be able to ping the
> firewall, just add
> ACCEPT	 loc	$FW	icmp	8
> 
> 
> 



More information about the Shorewall-users mailing list