Re: [Shorewall-users] Multiple ICMP types: What to do when you need them, and why they were disabled?

[Tom Eastep]

On 3/5/11 4:18 AM, Evi1M4chine wrote:
> Hello,
> 
> I see that giving multiple ICMP types in rules.conf is now blocked, 
> despite giving multiple ports still being allowed. What’s the reason for 
> this inconsistency?

Netfilter supports multiple ports in a single rule -- it does not
support multiple ICMP types. Shorewall-shell had a hack that allowed
multiple ICMP types but it resulted in horrible code structure. I did
not want that bad structure in Shorewall-perl.

> I have a variable $GOOD_ICMP_TYPES, with a list of good ones, and still 
> need to allow them in Shorewall. So what am I supposed to do instead? 
> There is no explanation or reasoning given.

If you are so attached to your shell variable that you can't bear to
part with it, replace:

        ACCEPT  z1      z2      icmp    $GOOD_ICMP_TYPES

with:

        BEGIN SHELL
        for type in $GOOD_ICMP_TYPES; do
                echo "ACCEPT    z1       z2      icmp     $type"
        done
        END SHELL

That's basically what Shorewall-shell did for you.

> 
> Also, please, in the future, at least tell us, what to do instead.

It is really very obvious -- use multiple rules with one type per rule.
I have now documented that in the shorewall-rules and shorewall6-rules
manpages as well as the "Migrating to Shorewall 4.4" document.

BUT.... there is really no reason the have explicit rules for 'Good'
ICMPs; Shorewall automatically allows necessary ICMP types through, even
if they are against the relevant policy.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
What You Don't Know About Data Connectivity CAN Hurt You
This paper provides an overview of data connectivity, details
its effect on application quality, and explores various alternative
solutions. http://p.sf.net/sfu/progress-d2d
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users