Is it possible to create rules that apply to specific codes of ICMP types? The AllowICMPs macro seems to have this type of precision for ICMP type 3 code 4. How can I write a rule that has this kind of precision for arbitrary ICMP types/codes? Brent Gardner ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
bgardner@iprotech.info wrote:> Is it possible to create rules that apply to specific codes of ICMP types? > > The AllowICMPs macro seems to have this type of precision for ICMP type 3 code 4. > > How can I write a rule that has this kind of precision for arbitrary ICMP types/codes?The same way as the macro does. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
teastep@shorewall.net wrote:> > bgardner@iprotech.info wrote: > > Is it possible to create rules that apply to specific codes of ICMP > types? > > > > The AllowICMPs macro seems to have this type of precision for ICMP > type 3 code 4. > > > > How can I write a rule that has this kind of precision for arbitrary > ICMP types/codes? > > The same way as the macro does. >The macro appears to use keywords: ''fragmentation-needed'' and ''time-exceeded'' Where can I find where these are defined? Or, is there a list acceptable keywords? I grepped /etc/shorewall and /usr/share/shorewall but nothing came up. Brent Gardner ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
bgardner@iprotech.info wrote:> teastep@shorewall.net wrote: >> bgardner@iprotech.info wrote: >>> Is it possible to create rules that apply to specific codes of ICMP >> types? >>> The AllowICMPs macro seems to have this type of precision for ICMP >> type 3 code 4. >>> How can I write a rule that has this kind of precision for arbitrary >> ICMP types/codes? >> >> The same way as the macro does. >> > > The macro appears to use keywords: ''fragmentation-needed'' and ''time-exceeded'' > > Where can I find where these are defined? Or, is there a list acceptable keywords? > > I grepped /etc/shorewall and /usr/share/shorewall but nothing came up.From /usr/share/shorewall/Shorewall/IPAddrs.pm, here is the list of keywords and their corresponding codes: my %icmp_types = ( any => ''any'', ''echo-reply'' => 0, ''destination-unreachable'' => 3, ''network-unreachable'' => ''3/0'', ''host-unreachable'' => ''3/1'', ''protocol-unreachable'' => ''3/2'', ''port-unreachable'' => ''3/3'', ''fragmentation-needed'' => ''3/4'', ''source-route-failed'' => ''3/5'', ''network-unknown'' => ''3/6'', ''host-unknown'' => ''3/7'', ''network-prohibited'' => ''3/9'', ''host-prohibited'' => ''3/10'', ''TOS-network-unreachable'' => ''3/11'', ''TOS-host-unreachable'' => ''3/12'', ''communication-prohibited'' => ''3/13'', ''host-precedence-violation'' => ''3/14'', ''precedence-cutoff'' => ''3/15'', ''source-quench'' => 4, ''redirect'' => 5, ''network-redirect'' => ''5/0'', ''host-redirect'' => ''5/1'', ''TOS-network-redirect'' => ''5/2'', ''TOS-host-redirect'' => ''5/3'', ''echo-request'' => ''8'', ''router-advertisement'' => 9, ''router-solicitation'' => 10, ''time-exceeded'' => 11, ''ttl-zero-during-transit'' => ''11/0'', ''ttl-zero-during-reassembly'' => ''11/1'', ''parameter-problem'' => 12, ''ip-header-bad'' => ''12/0'', ''required-option-missing'' => ''12/1'', ''timestamp-request'' => 13, ''timestamp-reply'' => 14, ''address-mask-request'' => 17, ''address-mask-reply'' => 18 ); -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
teastep@shorewall.net wrote:> bgardner@iprotech.info wrote: > > teastep@shorewall.net wrote: > >> bgardner@iprotech.info wrote: > >>> Is it possible to create rules that apply to specific codes of ICMP > >> types? > >>> The AllowICMPs macro seems to have this type of precision for ICMP > >> type 3 code 4. > >>> How can I write a rule that has this kind of precision for > arbitrary > >> ICMP types/codes? > >> > >> The same way as the macro does. > >> > > > > The macro appears to use keywords: ''fragmentation-needed'' and ''time- > exceeded'' > > > > Where can I find where these are defined? Or, is there a list > acceptable keywords? > > > > I grepped /etc/shorewall and /usr/share/shorewall but nothing came > up. > > From /usr/share/shorewall/Shorewall/IPAddrs.pm, here is the list of > keywords and their corresponding codes: >Thanks a lot for this! Can these keywords be used directly in /etc/shorewall/rules? How about the values they represent, like this: ACCEPT fw net icmp 12/1 Brent Gardner ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
bgardner@iprotech.info wrote:> teastep@shorewall.net wrote: >> bgardner@iprotech.info wrote: >>> teastep@shorewall.net wrote: >>>> bgardner@iprotech.info wrote: >>>>> Is it possible to create rules that apply to specific codes of ICMP >>>> types? >>>>> The AllowICMPs macro seems to have this type of precision for ICMP >>>> type 3 code 4. >>>>> How can I write a rule that has this kind of precision for >> arbitrary >>>> ICMP types/codes? >>>> >>>> The same way as the macro does. >>>> >>> The macro appears to use keywords: ''fragmentation-needed'' and ''time- >> exceeded'' >>> Where can I find where these are defined? Or, is there a list >> acceptable keywords? >>> I grepped /etc/shorewall and /usr/share/shorewall but nothing came >> up. >> >> From /usr/share/shorewall/Shorewall/IPAddrs.pm, here is the list of >> keywords and their corresponding codes: >> > > Thanks a lot for this! > > Can these keywords be used directly in /etc/shorewall/rules? How about the values they represent, like this: > > ACCEPT fw net icmp 12/1Yes and Yes. See 1) http://www.shorewall.net/configuration_file_basics.htm#ICMP 2) http://www.shorewall.net/manpages/shorewall-rules.html (look under DEST PORTS(S)) -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
teastep@shorewall.net wrote:> bgardner@iprotech.info wrote: > > teastep@shorewall.net wrote: > >> bgardner@iprotech.info wrote: > >>> teastep@shorewall.net wrote: > >>>> bgardner@iprotech.info wrote: > >>>>> Is it possible to create rules that apply to specific codes of > ICMP > >>>> types? > >>>>> The AllowICMPs macro seems to have this type of precision for > ICMP > >>>> type 3 code 4. > >>>>> How can I write a rule that has this kind of precision for > >> arbitrary > >>>> ICMP types/codes? > >>>> > >>>> The same way as the macro does. > >>>> > >>> The macro appears to use keywords: ''fragmentation-needed'' and > ''time- > >> exceeded'' > >>> Where can I find where these are defined? Or, is there a list > >> acceptable keywords? > >>> I grepped /etc/shorewall and /usr/share/shorewall but nothing came > >> up. > >> > >> From /usr/share/shorewall/Shorewall/IPAddrs.pm, here is the list of > >> keywords and their corresponding codes: > >> > > > > Thanks a lot for this! > > > > Can these keywords be used directly in /etc/shorewall/rules? How > about the values they represent, like this: > > > > ACCEPT fw net icmp 12/1 > > Yes and Yes. See > > 1) http://www.shorewall.net/configuration_file_basics.htm#ICMP > 2) http://www.shorewall.net/manpages/shorewall-rules.html (look under > DEST PORTS(S)) >Thanks again. I was googling all over the place yesterday, I don''t know how I missed these. Brent Gardner ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july