5.11. Managing ICMP Requests
The
Internet Control Message Protocol
(ICMP
) is a supporting protocol that is used by various network devices to send error messages and operational information indicating a connection problem, for example, that a requested service is not available. ICMP
differs from transport protocols such as TCP and UDP because it is not used to exchange data between systems.
Unfortunately, it is possible to use the
ICMP
messages, especially echo-request
and echo-reply
, to reveal information about your network and misuse such information for various kinds of fraudulent activities. Therefore, firewalld
enables blocking the ICMP
requests to protect your network information.
5.11.1. Listing ICMP
Requests
The
ICMP
requests are described in individual XML files that are located in the /usr/lib/firewalld/icmptypes/
directory. You can read these files to see a description of the request. The firewall-cmd
command controls the ICMP
requests manipulation.
To list all available
ICMP
types:
~]# firewall-cmd --get-icmptypes
The
ICMP
request can be used by IPv4, IPv6, or by both protocols. To see for which protocol the ICMP
request is used:
~]# firewall-cmd --info-icmptype=<icmptype>
The status of an
ICMP
request shows yes
if the request is currently blocked or no
if it is not. To see if an ICMP
request is currently blocked:
~]# firewall-cmd --query-icmp-block=<icmptype>
5.11.2. Blocking or Unblocking ICMP
Requests
When your server blocks
ICMP
requests, it does not provide the information that it normally would. However, that does not mean that no information is given at all. The clients receive information that the particular ICMP
request is being blocked (rejected). Blocking the ICMP
requests should be considered carefully, because it can cause communication problems, especially with IPv6 traffic.
To see if an
ICMP
request is currently blocked:
~]# firewall-cmd --query-icmp-block=<icmptype>
To block an
ICMP
request:
~]# firewall-cmd --add-icmp-block=<icmptype>
To remove the block for an
ICMP
request:
~]# firewall-cmd --remove-icmp-block=<icmptype>
5.11.3. Blocking ICMP
Requests without Providing any Information at All
Normally, if you block
ICMP
requests, clients know that you are blocking it. So, a potential attacker who is sniffing for live IP addresses is still able to see that your IP address is online. To hide this information completely, you have to drop all ICMP
requests.
To block and drop all
ICMP
requests:
- Set the target of your zone to
DROP
:~]#
firewall-cmd --set-target=DROP
- Make the new settings persistent:
~]#
firewall-cmd --runtime-to-permanent
Now, all traffic, including
ICMP
requests, is dropped, except traffic which you have explicitly allowed.
To block and drop certain
ICMP
requests and allow others:
- Set the target of your zone to
DROP
:~]#
firewall-cmd --set-target=DROP
- Add the ICMP block inversion to block all
ICMP
requests at once:~]#
firewall-cmd --add-icmp-block-inversion
- Add the ICMP block for those
ICMP
requests that you want to allow:~]#
firewall-cmd --add-icmp-block=<icmptype>
- Make the new settings persistent:
~]#
firewall-cmd --runtime-to-permanent
The block inversion inverts the setting of the
ICMP
requests blocks, so all requests, that were not previously blocked, are blocked. Those that were blocked are not blocked. Which means that if you need to unblock a request, you must use the blocking command.
To revert this to a fully permissive setting:
- Set the target of your zone to
default
orACCEPT
:~]#
firewall-cmd --set-target=default
- Remove all added blocks for
ICMP
requests:~]#
firewall-cmd --remove-icmp-block=<icmptype>
- Remove the
ICMP
block inversion:~]#
firewall-cmd --remove-icmp-block-inversion
- Make the new settings persistent:
~]#
firewall-cmd --runtime-to-permanent
5.11.4. Configuring the ICMP
Filter using GUI
To enable or disable an
ICMP
filter, start the firewall-config tool and select the network zone whose messages are to be filtered. Select the ICMP Filter tab and select the check box for each type of ICMP
message you want to filter. Clear the check box to disable a filter. This setting is per direction and the default allows everything.
To enable inverting the ICMP Filter, click the Invert Filter check box on the right. Only marked
ICMP
types are now accepted, all other are rejected. In a zone using the DROP target, they are dropped.