Firewall rule to allow a certain network ping responses
Alexander Dalloz
ad+lists at uni-x.org
Tue Jul 5 07:21:25 UTC 2005
Am Di, den 05.07.2005 schrieb Eric Wagar um 7:15:
> What rule do I need to allow a certain network PING responses? This is
> for my ISPs monitoring. Is it an INPUT or an OUTPUT?
> eric
INPUT: ICMP Echo Request
OUPUT: ICMP Echo Reply
This is if a remote host shall be able to ping you successfully.
http://www.erg.abdn.ac.uk/users/gorry/course/inet-pages/icmp-code.html
http://www.networksorcery.com/enp/protocol/icmp/msg8.htm
http://www.networksorcery.com/enp/protocol/icmp/msg0.htm
Example rules:
-A INPUT -i ppp0 -s 1.2.3.4/32 -p icmp -m limit --limit 2/sec -m icmp
--icmp-type 8 -j ACCEPT
-A OUTPUT -o ppp0 -d 1.2.3.4/32 -p icmp -m limit --limit 2/sec -m icmp
--icmp-type 0 -j ACCEPT
If you want to be able to ping yourself, a reverse ordered rule must
exist.
*Warning* Do NOT block ICMP if you don't know for sure which types you
block and what they are for! ICMP isn't a protocol you simply can cut
off without loosing network reliability!
You shoot yourself in the feet if you generally prohibit ICMP!
Alexander
--
Alexander Dalloz | Enger, Germany | GPG http://pgp.mit.edu 0xB366A773
legal statement: http://www.uni-x.org/legal.html
Fedora Core 2 GNU/Linux on Athlon with kernel 2.6.11-1.35_FC2smp
Serendipity 09:10:49 up 9 days, 16:02, load average: 0.82, 0.47, 0.24
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20050705/a92b6640/attachment-0001.sig>
More information about the fedora-list
mailing list