[Shorewall-users] Silently drop ping.
Francesca C. Smith
fsmith at ladylinux.com
Mon Dec 15 12:55:24 PST 2003
ICMP echo has taken on a whole new Irritating life in the days since
blaster .. Its not just 8 anymore .. But yes .. I do get your point ..
On Mon, 2003-12-15 at 12:39, David T Hollis wrote:
> On Mon, 2003-12-15 at 11:18, Francesca C. Smith wrote:
> > Hello,
> > > I want to drop ICMP traffic but without logging it. I have looked at
> > > the FAQ on ping and understand that I can just set up a rule to do so.
> > > Is there an already existing rule for ping somewhere in the
> > > configuration I should modify or by placing a new ping rule in my
> > > 'rules' it will override the default behavior of logging
> > >
> > DROP net fw icmp
> > Francesca
> Not sure if you forgot the '8' part or not. What I use is:
> DROP net $FW icmp 8
> Which drops the echo-requests. You don't want to drop all icmp or you
> will lose the helpful stuff like host/port unreachable, etc.
> Additionally, if you want internal hosts to be able to ping the
> firewall, just add
> ACCEPT loc $FW icmp 8
More information about the Shorewall-users