I want to drop ICMP traffic but without logging it. I have looked at the FAQ on ping and understand that I can just set up a rule to do so. Is there an already existing rule for ping somewhere in the configuration I should modify or by placing a new ping rule in my ''rules'' it will override the default behavior of logging the drop? Thanks, Mike
Hello,> I want to drop ICMP traffic but without logging it. I have looked at > the FAQ on ping and understand that I can just set up a rule to do so. > Is there an already existing rule for ping somewhere in the > configuration I should modify or by placing a new ping rule in my > ''rules'' it will override the default behavior of logging >DROP net fw icmp Francesca
On Mon, 2003-12-15 at 11:18, Francesca C. Smith wrote:> Hello, > > > > I want to drop ICMP traffic but without logging it. I have looked at > > the FAQ on ping and understand that I can just set up a rule to do so. > > Is there an already existing rule for ping somewhere in the > > configuration I should modify or by placing a new ping rule in my > > ''rules'' it will override the default behavior of logging > > > > DROP net fw icmp > > FrancescaNot sure if you forgot the ''8'' part or not. What I use is: DROP net $FW icmp 8 Which drops the echo-requests. You don''t want to drop all icmp or you will lose the helpful stuff like host/port unreachable, etc. Additionally, if you want internal hosts to be able to ping the firewall, just add ACCEPT loc $FW icmp 8
Hello, ICMP echo has taken on a whole new Irritating life in the days since blaster .. Its not just 8 anymore .. But yes .. I do get your point .. Francesca On Mon, 2003-12-15 at 12:39, David T Hollis wrote:> On Mon, 2003-12-15 at 11:18, Francesca C. Smith wrote: > > Hello, > > > > > > > I want to drop ICMP traffic but without logging it. I have looked at > > > the FAQ on ping and understand that I can just set up a rule to do so. > > > Is there an already existing rule for ping somewhere in the > > > configuration I should modify or by placing a new ping rule in my > > > ''rules'' it will override the default behavior of logging > > > > > > > DROP net fw icmp > > > > Francesca > > Not sure if you forgot the ''8'' part or not. What I use is: > DROP net $FW icmp 8 > > Which drops the echo-requests. You don''t want to drop all icmp or you > will lose the helpful stuff like host/port unreachable, etc. > > Additionally, if you want internal hosts to be able to ping the > firewall, just add > ACCEPT loc $FW icmp 8 > > >
On Monday 15 December 2003 09:55 am, Francesca C. Smith wrote:> Hello, > > ICMP echo has taken on a whole new Irritating life in the days since > blaster .. Its not just 8 anymore .. But yes .. I do get your point .. >Actually, you can probably drop all ICMP in a rule and not hurt anything -- any ICMP packets that are important are handled via an ACCEPT ESTABLISHED,RELATED rule prior to any rules generated by /etc/shorewall/rules. As mentioned on the list recently though, I use this rule which I recommend placing before any blanket ICMP drop: ACCEPT fw net icmp -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net