G''day one and all, Does shorewall support filtering based on packet size e.g. icmp echo request size 92 bytes ? I want to blcok some of this worm generated ICMP traffic and let others icmp traffic through. Regards, Stephen Eaton
--- Stephen Eaton <seaton@gateway.net.au> wrote:> G''day one and all, > > Does shorewall support filtering based on packet size e.g. icmp echo > request size 92 bytes ? I want to blcok some of this worm generated > ICMP traffic and let others icmp traffic through.Now if iptables allows you to do this then I would be very impressed. I''m no iptables guru by any stretch of the imagination and await a guru''s response to this question above. JBanks __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com
Iptables does allow you to do filtering based on packet size but Shorewall doesn''t support it. However you can add your own iptables entry to /etc/shorewall/common. The required iptables entry to drop icmp echo packets of 92 bytes would be: run_iptables -A common -p icmp -m icmp --icmp-type 8 -m length --length 92 -j DROP . /etc/shorewall/common.def The second line is required as per Tom''s instructions in /etc/shorewall/common.def. Steven. On Thursday 11 September 2003 15:22, Joshua Banks wrote:> --- Stephen Eaton <seaton@gateway.net.au> wrote: > > G''day one and all, > > > > Does shorewall support filtering based on packet size e.g. icmp echo > > request size 92 bytes ? I want to blcok some of this worm generated > > ICMP traffic and let others icmp traffic through. > > Now if iptables allows you to do this then I would be very impressed. I''m > no iptables guru by any stretch of the imagination and await a guru''s > response to this question above. > > JBanks > > __________________________________ > Do you Yahoo!? > Yahoo! SiteBuilder - Free, easy-to-use web site design software > http://sitebuilder.yahoo.com > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > http://lists.shorewall.net/mailman/listinfo/shorewall-users Support: > http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm
On Thu, 11 Sep 2003, Stephen Eaton wrote:> G''day one and all, > > Does shorewall support filtering based on packet size e.g. icmp echo > request size 92 bytes ?No. -Tom -- Tom Eastep \ Shorewall - iptables made easy Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net