# Shorewall - DROP ICMP pings

## A.S. Pushkin

I've upgraded shorewall and have run into a problem.

I'm unsure how others consider it, but I often visit www.grc.com to test my firewall.

I usually pass, but now I am unable to pass the ping test. I've searched for configurations,

but have been unsuccessful correcting this.

TIA

----------

## NeddySeagoon

A.S. Pushkin,

I have a policy of DROP everywhere, so everything going anywhere is thrown away unless its explicitly permitted, or DENYed if I want to be friendly and log the packet.

This stops the nasties phoning home if they do get in.  Its more trouble to set up but to me, its worth the extra security. 

My rule

```
# fw accepts from the internet - its anti social to drop ping

ACCEPT          any             any                     icmp    echo-request
```

allows pings.

Change the ACCEPT, to DROP to throw away pings.

----------

## A.S. Pushkin

Thanks NeddySeagoon. I have tried your suggestion and the problem persists.

Until recent upgrades to shorewall this problem did not occur. I know many do not like the shieldsup test at grc.com

but it allows me some test. My box passes the Solicited TCP Packets and Unsolicited Packets, but not ping reply.

I must confess this is an area I'm weak in and I'm perplexed as to how to fix it. I'm wondering if I should pursue

another firewall application.

Thanks

----------

## NeddySeagoon

A.S. Pushkin,

Pings are not a threat.  You may want them yourself one day.

If you care to share your  /etc/shorewall/policy and  /etc/shorewall/rules files, I'll look them over.

I use both shorewall and shorewall6.  They are not firewall applications, they write iptables rules and iptables provides the firewall.

Think of shorewall as a rules compiler for iptables.

----------

