If you are not familar with firewalld and the firewall-cmd, check out our Getting Started article.
Display ICMP Types
firewall-cmd with the --get-icmptypes flag can be used to display each ICMP type that firewalld will allow or block.
firewall-cmd --get-icmptypes
Something like this should be returned.
address-unreachable bad-header communication-prohibited destination-unreachable echo-reply echo-request fragmentation-needed host-precedence-violation host-prohibited host-redirect host-unknown host-unreachable ip-header-bad neighbour-advertisement neighbour-solicitation network-prohibited network-redirect network-unknown network-unreachable no-route packet-too-big parameter-problem port-unreachable precedence-cutoff protocol-unreachable redirect required-option-missing router-advertisement router-solicitation source-quench source-route-failed time-exceeded timestamp-reply timestamp-request tos-host-redirect tos-host-unreachable tos-network-redirect tos-network-unreachable ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type unknown-option
IPV4 & IPV6
The --info-icmptypes=<type> option can be used to determine if a type is being used by only IPv4, only IPv6, or both.
~]# firewall-cmd --info-icmptype=echo-request
echo-request
destination: ipv4 ipv6
Allow or Block all ICMP traffic
ICMP block inversion inverts the logic. That which would have been blocked would be allowed, that which would have been allowed will be blocked.
The --remove-icmp-block-inversion option sets icmp-block-inversion to no removes the ICMP block inversion control.
firewall-cmd --zone=public --remove-icmp-block-inversion --permanent
firewall-cmd --zone=drop --remove-icmp-block-inversion --permanent
firewall-cmd --reload
The --add-icmp-block-inversion option sets icmp-block-inversion to yes enables ICMP block inversion.
firewall-cmd --zone=public --add-icmp-block-inversion --permanent
firewall-cmd --zone=drop --add-icmp-block-inversion --permanent
firewall-cmd --reload
The --query-icmp-block-inversion option can be used to determine if a zone is configured with ICMP block inversion.
~]# firewall-cmd --zone=public --query-icmp-block-inversion
no
The --check-config command can be used to ensure there are no configuration errors.
~]$ firewall-cmd --check-config
success
Or, the --list-all option can be used.
~]# firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eno16777984
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
~]# firewall-cmd --zone=drop --list-all
drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Allow or Block certain ICMP traffic
The --query-icmp-block=<type> option can be used to determine if a type is confgured to allow or deny.
~]# firewall-cmd --query-icmp-block=echo-request
no
The --add-icmp-block=<type> option can be used to block a certain type.
~]# firewall-cmd --add-icmp-block=echo-request --permanent
The --remove-icmp-block=<type> option can be used to not block a certain type.
~]# firewall-cmd --remove-icmp-block=echo-request --permanent
After adding or removing a block, reload the firewall.
firewall-cmd --reload
In this example, the public zone has icmp-block-inversion set to no to allow all ICMP traffic and icmp-blocks set to echo-requests to block echo requests.
~]# firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eno16777984
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks: echo-request
rich rules:
~]# firewall-cmd --zone=drop --list-all
drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Did you find this article helpful?
If so, consider buying me a coffee over at