Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

5.11. Managing ICMP Requests

The Internet Control Message Protocol (ICMP) is a supporting protocol that is used by various network devices to send error messages and operational information indicating a connection problem, for example, that a requested service is not available. ICMP differs from transport protocols such as TCP and UDP because it is not used to exchange data between systems.
Unfortunately, it is possible to use the ICMP messages, especially echo-request and echo-reply, to reveal information about your network and misuse such information for various kinds of fraudulent activities. Therefore, firewalld enables blocking the ICMP requests to protect your network information.

5.11.1. Listing ICMP Requests
Copy link

The ICMP requests are described in individual XML files that are located in the /usr/lib/firewalld/icmptypes/ directory. You can read these files to see a description of the request. The firewall-cmd command controls the ICMP requests manipulation.
To list all available ICMP types: 
~]# firewall-cmd --get-icmptypes
Copy to Clipboard Toggle word wrap
The ICMP request can be used by IPv4, IPv6, or by both protocols. To see for which protocol the ICMP request is used: 
~]# firewall-cmd --info-icmptype=<icmptype>
Copy to Clipboard Toggle word wrap
The status of an ICMP request shows yes if the request is currently blocked or no if it is not. To see if an ICMP request is currently blocked: 
~]# firewall-cmd --query-icmp-block=<icmptype>
Copy to Clipboard Toggle word wrap

5.11.2. Blocking or Unblocking ICMP Requests
Copy link

When your server blocks ICMP requests, it does not provide the information that it normally would. However, that does not mean that no information is given at all. The clients receive information that the particular ICMP request is being blocked (rejected). Blocking the ICMP requests should be considered carefully, because it can cause communication problems, especially with IPv6 traffic.
To see if an ICMP request is currently blocked: 
~]# firewall-cmd --query-icmp-block=<icmptype>
Copy to Clipboard Toggle word wrap
To block an ICMP request: 
~]# firewall-cmd --add-icmp-block=<icmptype>
Copy to Clipboard Toggle word wrap
To remove the block for an ICMP request: 
~]# firewall-cmd --remove-icmp-block=<icmptype>
Copy to Clipboard Toggle word wrap
Normally, if you block ICMP requests, clients know that you are blocking it. So, a potential attacker who is sniffing for live IP addresses is still able to see that your IP address is online. To hide this information completely, you have to drop all ICMP requests.
To block and drop all ICMP requests:
  1. Set the target of your zone to DROP: 
    ~]# firewall-cmd --set-target=DROP
    Copy to Clipboard Toggle word wrap
  2. Make the new settings persistent: 
    ~]# firewall-cmd --runtime-to-permanent
    Copy to Clipboard Toggle word wrap
Now, all traffic, including ICMP requests, is dropped, except traffic which you have explicitly allowed.
To block and drop certain ICMP requests and allow others:
  1. Set the target of your zone to DROP: 
    ~]# firewall-cmd --set-target=DROP
    Copy to Clipboard Toggle word wrap
  2. Add the ICMP block inversion to block all ICMP requests at once: 
    ~]# firewall-cmd --add-icmp-block-inversion
    Copy to Clipboard Toggle word wrap
  3. Add the ICMP block for those ICMP requests that you want to allow: 
    ~]# firewall-cmd --add-icmp-block=<icmptype>
    Copy to Clipboard Toggle word wrap
  4. Make the new settings persistent: 
    ~]# firewall-cmd --runtime-to-permanent
    Copy to Clipboard Toggle word wrap
The block inversion inverts the setting of the ICMP requests blocks, so all requests, that were not previously blocked, are blocked. Those that were blocked are not blocked. Which means that if you need to unblock a request, you must use the blocking command.
To revert this to a fully permissive setting:
  1. Set the target of your zone to default or ACCEPT: 
    ~]# firewall-cmd --set-target=default
    Copy to Clipboard Toggle word wrap
  2. Remove all added blocks for ICMP requests: 
    ~]# firewall-cmd --remove-icmp-block=<icmptype>
    Copy to Clipboard Toggle word wrap
  3. Remove the ICMP block inversion: 
    ~]# firewall-cmd --remove-icmp-block-inversion
    Copy to Clipboard Toggle word wrap
  4. Make the new settings persistent: 
    ~]# firewall-cmd --runtime-to-permanent
    Copy to Clipboard Toggle word wrap

5.11.4. Configuring the ICMP Filter using GUI
Copy link

To enable or disable an ICMP filter, start the firewall-config tool and select the network zone whose messages are to be filtered. Select the ICMP Filter tab and select the check box for each type of ICMP message you want to filter. Clear the check box to disable a filter. This setting is per direction and the default allows everything.
To enable inverting the ICMP Filter, click the Invert Filter check box on the right. Only marked ICMP types are now accepted, all other are rejected. In a zone using the DROP target, they are dropped.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat