4

How to DROP icmp requests with firewalld?

An equivalent example instead using iptables would be:

$ iptables -A INPUT --protocol icmp --in-interface enp0s8 -j DROP

The above produces the desired result (no response) like so:

[root@lexy1 ~]# ping l2
PING lexy2.example.vm (192.168.57.102) 56(84) bytes of data.
                              ︙
                      (no other output)
                              ︙

I'm able to block icmp requests with firewalld using something like:

$ firewall-cmd --zone=internal --add-icmp-block={echo-request,echo-reply}

However ping returns output like so:

[root@lexy1 ~]# ping l2
PING lexy2.example.vm (192.168.57.102) 56(84) bytes of data.
From lexy2.example.vm (192.168.57.102) icmp_seq=1 Destination Host Prohibited
From lexy2.example.vm (192.168.57.102) icmp_seq=2 Destination Host Prohibited
From lexy2.example.vm (192.168.57.102) icmp_seq=3 Destination Host Prohibited
                              ︙

Ping should receive no indication that a server exists at this address. (This is not an attempt at security through obscurity.)

Scott - Слава Україні
  • 10,332
  • 10
  • 39
  • 68
Alxs
  • 2,170
  • 3
  • 21
  • 31
  • 2
    It seems to me that you have to create a new zone whose policy is DROP, then you can set icmp-block-inversion; then ICMP traffic matching that zone will be dropped. [reference](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html#sec-Configuring_firewalld), quoting: "To enable inverting the ICMP Filter, click the Invert Filter check box on the right. Only marked ICMP types are now accepted, all other are rejected. In a zone using the DROP target, they are dropped." – Jeff Schaller Jul 14 '17 at 19:54
  • Thanks @JeffSchaller, that works. I just moved the interface to the predefined `drop` zone, added the services I need on that interface, and ran `$ firewall-cmd --permanent --zone=drop --add-icmp-block-inversion`. If you answer, I will accept. – Alxs Jul 15 '17 at 11:25
  • 2
    A slightly quicker way might be to just change the target of the current zone to `DROP`, assuming there's only the one desired interface in the current zone. Like this: `$ firewall-cmd --permanent [--zone=zone] --set-target=DROP`. As all services would already have been configured for the current zone you'd just need to add the 'icmp block inversion'. – Alxs Jul 15 '17 at 11:32

2 Answers2

3

Following should work

drop all ICMP

firewall-cmd --set-target=DROP --zone=public --permanent firewall-cmd --zone=nagios --remove-icmp-block={echo-request,echo-reply,timestamp-request,timestamp-reply} --permanent firewall-cmd --reload

revert to default

firewall-cmd --set-target=default --zone=public firewall-cmd --reload

Scott - Слава Україні
  • 10,332
  • 10
  • 39
  • 68
ALi Maken
  • 31
  • 2
-1

Try with the command below:

systemctl stop iptables
mattia.b89
  • 3,142
  • 2
  • 14
  • 39
Sushant Kuthe
  • 1
  • 3
    Please use proper syntax for commands & explain what your solution (the command you posted here) should *case* – mattia.b89 May 01 '20 at 15:16