FreeKB - Firewalld firewall-cmd - allow or deny ICMP
Firewalld - firewall-cmd - allow or deny ICMP

If you are not familar with firewalld and the firewall-cmd, check out our Getting Started article.


Display ICMP Types

firewall-cmd with the --get-icmptypes flag can be used to display each ICMP type that firewalld will allow or block.

firewall-cmd --get-icmptypes

 

Something like this should be returned.

address-unreachable bad-header communication-prohibited destination-unreachable echo-reply echo-request fragmentation-needed host-precedence-violation host-prohibited host-redirect host-unknown host-unreachable ip-header-bad neighbour-advertisement neighbour-solicitation network-prohibited network-redirect network-unknown network-unreachable no-route packet-too-big parameter-problem port-unreachable precedence-cutoff protocol-unreachable redirect required-option-missing router-advertisement router-solicitation source-quench source-route-failed time-exceeded timestamp-reply timestamp-request tos-host-redirect tos-host-unreachable tos-network-redirect tos-network-unreachable ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type unknown-option

 


IPV4 & IPV6

The --info-icmptypes=<type> option can be used to determine if a type is being used by only IPv4, only IPv6, or both.

~]# firewall-cmd --info-icmptype=echo-request
echo-request
  destination: ipv4 ipv6

 


Allow or Block all ICMP traffic

ICMP block inversion inverts the logic. That which would have been blocked would be allowed, that which would have been allowed will be blocked.

The --remove-icmp-block-inversion option sets icmp-block-inversion to no removes the ICMP block inversion control.

firewall-cmd --zone=public --remove-icmp-block-inversion --permanent
firewall-cmd --zone=drop   --remove-icmp-block-inversion --permanent
firewall-cmd --reload

 

The --add-icmp-block-inversion option sets icmp-block-inversion to yes enables ICMP block inversion.

firewall-cmd --zone=public --add-icmp-block-inversion --permanent
firewall-cmd --zone=drop   --add-icmp-block-inversion --permanent
firewall-cmd --reload

 

The --query-icmp-block-inversion option can be used to determine if a zone is configured with ICMP block inversion.

~]# firewall-cmd --zone=public --query-icmp-block-inversion
no

 

Or, the --list-all option can be used.

~]# firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eno16777984
  sources:
  services: ssh dhcpv6-client
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

~]# firewall-cmd --zone=drop --list-all
drop
  target: DROP
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

 


Allow or Block certain ICMP traffic

The --query-icmp-block=<type> option can be used to determine if a type is confgured to allow or deny.

~]# firewall-cmd --query-icmp-block=echo-request
no

 

The --add-icmp-block=<type> option can be used to block a certain type.

~]# firewall-cmd --add-icmp-block=echo-request --permanent

 

The --remove-icmp-block=<type> option can be used to not block a certain type.

~]# firewall-cmd --remove-icmp-block=echo-request --permanent

 

After adding or removing a block, reload the firewall.

firewall-cmd --reload

 

In this example, the public zone has icmp-block-inversion set to no to allow all ICMP traffic and icmp-blocks set to echo-requests to block echo requests.

~]# firewall-cmd --zone=public --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eno16777984
  sources:
  services: ssh dhcpv6-client
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks: echo-request
  rich rules:

~]# firewall-cmd --zone=drop --list-all
drop
  target: DROP
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

 



Add a Comment




We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.




Please enter 01cbe in the box below so that we can be sure you are a human.




Comments

Web design by yours truely - me, myself, and I   |   jeremy.canfield@freekb.net   |