I''m testing my belt-and-suspenders shorewall configuration(s), and have run into a small issue. I want my general policy to be "that which is not expressly permitted is forbidden", so my policy file is approrpiately restrictive: net all DROP info all all REJECT info My rules file then opens up specific protocols and ports for specific hosts in my DMZ. I have specific rules for incoming and outgoing packets. I''d like my DMZ hosts to be able to use ICMP, but shorewall won''t start when I have this: ACCEPT dmz net icmp The message I receive is: iptables v1.2.4: invalid ICMP type ''-'' I can''t use the following either: ACCEPT dmz net icmp 0-255 Does this mean that I need to list all the ICMP types in a comma-seperated list? Or am I better off changing my policy to allow all outgoing DMZ traffic, and then make rules to deny everything I don''t want? Thanks in advance for any suggestions. Cheers, Scott
> -----Original Message----- > From: shorewall-users-admin@shorewall.net > [mailto:shorewall-users-admin@shorewall.net] On Behalf Of > Scott Merrill > Sent: Thursday, February 21, 2002 7:07 AM > To: shorewall-users@shorewall.net > Subject: [Shorewall-users] Policies vs Rules: ICMP > > > I''d > like my DMZ hosts to be able to use ICMP, but shorewall won''t > start when I > have this: > ACCEPT dmz net icmp > > The message I receive is: > iptables v1.2.4: invalid ICMP type ''-'' >Two things: a) That''s a bug in the firewall script -- I''ve place a corrected script in the 1.2.6 errata. b) The firewall will already pass all icmp types given in icmp.def even if you have no rule. You may wish to consider copying that file to icmpdef and modifying that file to add any additional types that you feel you need. Usually, the only type that people add is ''echo-request''. -Tom -- Tom Eastep \ Shorewall -- iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Tom Eastep wrote:> > Scott Merrill > > ... > > I''d > > like my DMZ hosts to be able to use ICMP, but shorewall won''t > > start when I > > have this: > > ACCEPT dmz net icmp > > > > The message I receive is: > > iptables v1.2.4: invalid ICMP type ''-'' > > Two things: > > a) That''s a bug in the firewall script -- I''ve place a corrected script > in the 1.2.6 errata.I''ve just built an RPM for shorewall 1.2.6 which includes this latest errata. If you are interested, you can find it at http://paulgear.webhop.net/linux/. (Be sure to read the notes on version numbering before using them.) Paul http://paulgear.webhop.net