Since the last Shorewall update (on hardened it went from 3.x straight to 4.4.15.1), suddenly I can’t add rules with a list of ICMP types. There is no other information given, that the error message in the summary. The documentation (http://www.shorewall.net/manpages/shorewall-rules.html under DEST PORT(S) states that lists are allowed. So I guess this is a bug. Even if not, it should at least state somewhere, what to do, or why not to do it. This way I’m stuck. Reproducible: Always Steps to Reproduce: 1. Make sure =net-firewall/shorewall-4.4.15.1 is installed. 2. Add the following line to /etc/shorewall/rules under the SECTION NEW: ACCEPT all all icmp $NICE_ICMP_TYPES - 3. Add the following line to /etc/shorewall/params: NICE_ICMP_TYPES="0,3,4,5,8,11,12,13,14" (or anything with more than one item) 4. /etc/init.d/shorewall restart Actual Results: * Restarting firewall ... ERROR: Multiple ICMP types are not permitted : /etc/shorewall/rules (line 19) [ !! ] Expected Results: * Restarting firewall ... [ ok ] (I doubt “emerge --info” or other information is required here. If it is, please tell me, and I will add it.)
Hi Navid, I looked at your problem. I think you misunderstood the documentation or the documentation is wrong. The functionality of multiple icmp-types is no longer present in shorewall. It was removed around version 3.9. I'm sorry if you had problems, but the old stable was really old and I was not able to add all changes to the emerge output. I just recently adopted this packages and was not aware, that the multi-icmp-functionality existed in 3.4 and was dropped.
Ah, OK, thank you. :) Sounds like a really pointless change though. So could you point me to where I can find out the reasons it was changed. (I could not find some kind of changelog containing anything related to it. I also could not find an IRC channel to ask them.) Those have to be pretty good, to justify it. After all, you can do it for ports, so why not for ICMP types?
The information I have is http://www.mail-archive.com/shorewall-users@lists.sourceforge.net/msg01734.html I looked at the code, the patched was integrated in the code-base. There is also an irc channel on freenode #shorewall :).
Looks like they simply were lazy, and instead of implementing it properly (making one rules.conf ICMP rule into multiple iptables rules… or even better: fixing iptables!), they just disabled it. Oh well, I asked in their dead IRC channel, and on their mailing list, and will wait for an answer.
Seems like this functionality will return in the 4.4.19 release of shorewall, see: http://www1.shorewall.net/pub/shorewall/development/4.4/shorewall-4.4.19-RC1/releasenotes.txt