[Shorewall-users] Policies vs Rules: ICMP

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

I'm testing my belt-and-suspenders shorewall configuration(s), and have run
into a small issue.

I want my general policy to be "that which is not expressly permitted is
forbidden", so my policy file is approrpiately restrictive:
net all DROP info
all all REJECT info

My rules file then opens up specific protocols and ports for specific hosts
in my DMZ.  I have specific rules for incoming and outgoing packets.  I'd
like my DMZ hosts to be able to use ICMP, but shorewall won't start when I
have this:
ACCEPT dmz net icmp

The message I receive is:
iptables v1.2.4: invalid ICMP type '-'

I can't use the following either:
ACCEPT dmz net icmp 0-255

Does this mean that I need to list all the ICMP types in a comma-seperated
list?
Or am I better off changing my policy to allow all outgoing DMZ traffic, and
then make rules to deny everything I don't want?

Thanks in advance for any suggestions.
Cheers,
Scott