[Shorewall-users] Silently drop ping.

Tom Eastep teastep at shorewall.net
Mon Dec 15 10:01:35 PST 2003


On Monday 15 December 2003 09:55 am, Francesca C. Smith wrote:
> Hello,
>
> ICMP echo has taken on a whole new Irritating life in the days since
> blaster .. Its not just 8 anymore .. But yes .. I do get your point ..
>

Actually, you can probably drop all ICMP in a rule and not hurt anything -- 
any ICMP packets that are important are handled via an ACCEPT 
ESTABLISHED,RELATED rule prior to any rules generated by 
/etc/shorewall/rules.

As mentioned on the list recently though, I use this rule which I recommend 
placing before any blanket ICMP drop:

ACCEPT	fw	net	icmp

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep at shorewall.net




More information about the Shorewall-users mailing list