Shorewall users - May 2003 - Shorewall 1.4.2 - ''noping'' interface option gone?

Hi,

I''ve decided to resume the use of the deprecated option
''noping'' for an
external interface, on shorewall 1.4.2 (latest).

[yes I know it''s now deprecated, but for some reasons I can''t
get the correct
behavior (total invisibility to ping/scan attempts) from the standard 
rulesets with ICMP; ''noping'' under shorewall 1.3 worked better
for me]

So I turned on OLD_PING_HANDLING=Yes in shorewall.conf, and added
''noping'' to
my ppp0 interface; but when (re)starting, Shorewall issued a warning about an 
invalid option, ''noping'' infact.

Further research into /usr/share/shorewall/firewall shown that the option 
''noping'' is no longer listed as a valid option for aan
interface.

Is it a glitch, or should we amend the 1.4 documentation (ping.html)?

Thanks,

Corrado

On Sun, 4 May 2003 01:25:27 +0200, C. Cau <ccau@itsyn.it> wrote:
>
>
> Is it a glitch, or should we amend the 1.4 documentation (ping.html)?
>
It''s your reading of ping.html -- after 1.4.0, ICMP echo-request is
handled
just like any other connection request. I guess to make that perfectly 
clear, I should make the second heading:

Shorewall Versions >= 1.3.14 and < 1.4.0 with OLD_PING_HANDLING=No in 
/etc/shorewall/shorewall.conf

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

touche'' :-)

actually, being the picky guy I am, I think the misleading sentence is:

Shorewall Versions < 1.3.14 or with OLD_PING_HANDLING=Yes in 
/etc/shorewall/shorewall.conf

OK, so I guess it''s time for me to learn to cope with the normal rules
for
ICMP handling...

btw, I''m wondering what type of ''ping'' is actually
being used by nmap for
stating that a host is up; they call it ''tcp ping'', and it
seems to involve
port 1/tcp instead of icmp. Any suggestions?

My goal would be to achieve total invisibilty against this sort of thing.

thanks,

Corrado


On Sun May 4 2003 05:43, Tom Eastep wrote:
> On Sun, 4 May 2003 01:25:27 +0200, C. Cau <ccau@itsyn.it> wrote:
> > Is it a glitch, or should we amend the 1.4 documentation (ping.html)?
>
> It''s your reading of ping.html -- after 1.4.0, ICMP echo-request
is handled
> just like any other connection request. I guess to make that perfectly
> clear, I should make the second heading:
>
> Shorewall Versions >= 1.3.14 and < 1.4.0 with OLD_PING_HANDLING=No in
> /etc/shorewall/shorewall.conf
>
> -Tom

On Sun, 2003-05-04 at 17:33, C. Cau wrote:
> btw, I''m wondering what type of ''ping'' is
actually being used by nmap for
> stating that a host is up; they call it ''tcp ping'', and
it seems to involve
> port 1/tcp instead of icmp. Any suggestions?
If you have nmap installed you should do "man nmap".  The answer to
your
question is in the -PX options.

Ed

On Sun, 4 May 2003 11:33:31 +0200, C. Cau <ccau@itsyn.it> wrote:
> touche'' :-)
>
> actually, being the picky guy I am, I think the misleading sentence is:
>
> Shorewall Versions < 1.3.14 or with OLD_PING_HANDLING=Yes in 
> /etc/shorewall/shorewall.conf
And which version is your shorewall.conf file? There is no text like that 
in my shorewall.conf.
>
> OK, so I guess it''s time for me to learn to cope with the normal
rules
> for ICMP handling...
>
> btw, I''m wondering what type of ''ping'' is
actually being used by nmap for
> stating that a host is up; they call it ''tcp ping'', and
it seems to
> involve port 1/tcp instead of icmp. Any suggestions?
Watch with tcpdump while you start ''nmap''.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

On Sun, 04 May 2003 07:13:13 -0700, Tom Eastep <teastep@shorewall.net> 
wrote:
> On Sun, 4 May 2003 11:33:31 +0200, C. Cau <ccau@itsyn.it> wrote:
>
>> touche'' :-)
>>
>> actually, being the picky guy I am, I think the misleading sentence is:
>>
Duh -- I misread what you wrote -- please ignore my ramblings... :-)

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

nope, in turn I was quoting ping.html (third paragraph).
nothing to do with shorewall.conf itself.

Corrado

On Sun May 4 2003 16:13, Tom Eastep wrote:
> And which version is your shorewall.conf file? There is no text like that
> in my shorewall.conf.