===================================================================
RCS file: /home/cvsd/home/cvs/scripts/shell/firewall/fw-universal.sh,v
retrieving revision 2.6
retrieving revision 2.7
diff -u -p -r2.6 -r2.7
--- scripts/shell/firewall/fw-universal.sh	2005/01/02 02:37:12	2.6
+++ scripts/shell/firewall/fw-universal.sh	2005/01/02 13:31:46	2.7
@@ -9,7 +9,7 @@
 # Licensed under terms of GNU General Public License.
 # All rights reserved.
 #
-# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.5 2005/01/02 01:49:01 rajo Exp $
+# $Platon: scripts/shell/firewall/fw-universal.sh,v 2.6 2005/01/02 02:37:12 rajo Exp $
 #
 # Changelog:
 # 2004-11-14 - created
@@ -276,7 +276,7 @@ mangle_output()
 masquerade()
 { # {{{
 	if [ ! -z "$NAT_LAN_IFACE" ]; then
-		echo -en "Masquerading local subnet: $NAT_SUBNET_IFACE --> $NAT_LAN_IFACE"
+		echo -en "NAT: Masquerading local subnet: $NAT_SUBNET_IFACE --> $NAT_LAN_IFACE"
 
 		ip="IP_$NAT_SUBNET_IFACE";
 		netmask="Mask_$NAT_SUBNET_IFACE"
@@ -297,6 +297,8 @@ masquerade()
 
 		$IPTABLES -t nat -A POSTROUTING -s $localnet -o $NAT_LAN_IFACE -j MASQUERADE
 
+		echo " done."
+
 		# don't forward Miscrosoft protocols - NOT RFC compliant packets
 		if [ ! -z "$NAT_FORWARD_MICROSOFT" ]; then
 			if [ "x$NAT_FORWARD_MICROSOFT" = "xno" ]; then
@@ -310,7 +312,7 @@ masquerade()
 		fi
 
 		if [ ! -z "$NAT_FORWARD_TCP_PORTS" ]; then
-			echo -en "Accepting FORWARD TCP ports:"
+			echo -en "\tAccepting FORWARD TCP ports:"
 			for port in $NAT_FORWARD_TCP_PORTS; do
 				echo -en " $port"
 				$IPTABLES -A FORWARD -p TCP --dport $port -m state --state NEW -j ACCEPT
@@ -319,7 +321,7 @@ masquerade()
 		fi
 
 		if [ ! -z "$NAT_FORWARD_UDP_PORTS" ]; then
-			echo -en "Accepting FORWARD UDP ports:"
+			echo -en "\tAccepting FORWARD UDP ports:"
 			for port in $NAT_FORWARD_UDP_PORTS; do
 				echo -en " $port"
 				$IPTABLES -A FORWARD -p UDP --dport $port -m state --state NEW -j ACCEPT
@@ -327,13 +329,18 @@ masquerade()
 			echo " done."
 		fi
 
+		echo -en "\tAccepting ICMP packets:"
+		for type in $ACCEPT_ICMP_PACKETS; do
+			echo -en " $type"
+			$IPTABLES -A FORWARD -p ICMP --icmp-type $type -j ACCEPT
+		done
+		echo " done."
+
 		# Keep state of connections from private subnets
 		$IPTABLES -A OUTPUT  -m state --state NEW -o $NAT_LAN_IFACE -j ACCEPT
 		#$IPTABLES -A FORWARD -m state --state NEW -o $NAT_LAN_IFACE -j ACCEPT
 		$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 
-		echo " done."
-
 	fi
 } # }}}
 
@@ -463,7 +470,7 @@ allow_icmp()
 	$IPTABLES -A INPUT -p TCP --dport 113 -j REJECT --reject-with tcp-reset #AUTH server
 
 	# accept only allowed ICMP packets
-	for type in echo-reply destination-unreachable echo-request time-exceeded; do
+	for type in $ACCEPT_ICMP_PACKETS; do
 		echo -en " $type"
 		for iface in $INTERFACES; do
 			ip="IP_$iface";