Results 1 to 10 of 10

Thread: How to Block Ping ICMP Requests?

  1. #1

    Angry How to Block Ping ICMP Requests?

    Hi,
    Please tell me why I can’t block ICMP requests?
    Reproduce:

    Code:
    alex@linux-ofwi:~> sudo firewall-cmd --list-all-zone
    [sudo] пароль для root: 
    ---------
    drop (active)
      target: DROP
      icmp-block-inversion: no
      interfaces: eth0 ppp0
      sources: 
      services: 
      ports: 
      protocols: 
      masquerade: no
      forward-ports: 
      source-ports: 
      icmp-blocks: 
      rich rules: 
    ----------
    alex@linux-ofwi:~> sudo firewall-cmd --query-icmp-block=echo-request --zone=drop
    no
    alex@linux-ofwi:~> sudo firewall-cmd --add-icmp-block-inversion --zone=drop
    success
    sudo firewall-cmd --runtime-to-permanent
    success
    alex@linux-ofwi:~> sudo firewall-cmd --query-icmp-block=echo-request --zone=drop
    no
    How to do it right?

  2. #2
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    20,843
    Blog Entries
    1

    Default Re: How to Block Ping ICMP Requests?

    I would block it via the kernel "on the fly" with
    Code:
    sysctl -w net.ipv4.icmp_echo_ignore_all=1
    That will take immediate effect.

    If you want to make it permanent, then add 'net.ipv4.icmp_echo_ignore_all=1' to /etc/sysctl.conf
    Code:
    echo "net.ipv4.icmp_echo_ignore_all=1 >> /etc/sysctl.conf
    and then apply using
    Code:
    sysctl -p
    openSUSE Leap 15.1; KDE Plasma 5

  3. #3
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    20,843
    Blog Entries
    1

    Default Re: How to Block Ping ICMP Requests?

    BTW, when I invoked firewall rules to inhibit ICMP echo replies and echo requests (and not inhibited via the kernel mechanism)...
    Code:
    # firewall-cmd --zone=public --add-icmp-block=echo-reply
    success
     # firewall-cmd --zone=public --add-icmp-block=echo-request
    success
    ...I found the following reported from a Windows client
    Code:
    C:\Users\OEM>ping 192.168.0.12
    
    Pinging 192.168.0.12 with 32 bytes of data:
    Reply from 192.168.0.12: Destination host unreachable.
    Reply from 192.168.0.12: Destination host unreachable.
    Whereas, the former method (sysctl -w net.ipv4.icmp_echo_ignore_all=1) results in the following response
    Code:
    C:\Users\OEM>ping 192.168.0.12
    
    Pinging 192.168.0.12 with 32 bytes of data:
    Request timed out.
    Request timed out.
    Last edited by deano_ferrari; 05-Oct-2019 at 15:07.
    openSUSE Leap 15.1; KDE Plasma 5

  4. #4

    Default Re: How to Block Ping ICMP Requests?

    Quote Originally Posted by deano_ferrari View Post
    I would block it via the kernel "on the fly" with
    Code:
    sysctl -w net.ipv4.icmp_echo_ignore_all=1
    That will take immediate effect.

    If you want to make it permanent, then add 'net.ipv4.icmp_echo_ignore_all=1' to /etc/sysctl.conf
    Code:
    echo "net.ipv4.icmp_echo_ignore_all=1 >> /etc/sysctl.conf
    and then apply using
    Code:
    sysctl -p
    OK thanks.
    But I would like to know how to block the entire range of requests:

    Code:
    alex@linux-ofwi:~> firewall-cmd --get-icmptypes 
    address-unreachable bad-header beyond-scope communication-prohibited destination-unreachable echo-reply echo-request failed-policy fragment
    ation-needed host-precedence-violation host-prohibited host-redirect host-unknown host-unreachable ip-header-bad neighbour-advertisement ne
    ighbour-solicitation network-prohibited network-redirect network-unknown network-unreachable no-route packet-too-big parameter-problem port
    -unreachable precedence-cutoff protocol-unreachable redirect reject-route required-option-missing router-advertisement router-solicitation 
    source-quench source-route-failed time-exceeded timestamp-reply timestamp-request tos-host-redirect tos-host-unreachable tos-network-redire
    ct tos-network-unreachable ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type unknown-option
    
    I do not understand why I can not do this through firewall:

    Code:
    sudo firewall-cmd --add-icmp-block-inversion --zone=drop
    ?

  5. #5
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    20,843
    Blog Entries
    1

    Default Re: How to Block Ping ICMP Requests?

    Quote Originally Posted by aleksejsmir View Post
    OK thanks.
    But I would like to know how to block the entire range of requests:

    I do not understand why I can not do this through firewall:

    Code:
    sudo firewall-cmd --add-icmp-block-inversion --zone=drop
    You can, and the above directive should do just that, (as long as you don't then add subsequent directives to allow some ICMP requests unintentionally as you appeared to have done in your first post).

    The block inversion inverts the setting of the ICMP requests blocks, so all requests, that were not previously blocked, are blocked. Those that were blocked are not blocked. Which means that if you need to unblock a request, you must use the blocking command.
    https://access.redhat.com/documentat..._icmp_requests
    openSUSE Leap 15.1; KDE Plasma 5

  6. #6
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    20,843
    Blog Entries
    1

    Default Re: How to Block Ping ICMP Requests?

    BTW, before dropping all ICMP types it's worth reading the following appraisal on the subject...

    http://shouldiblockicmp.com/
    openSUSE Leap 15.1; KDE Plasma 5

  7. #7

    Default Re: How to Block Ping ICMP Requests?

    Quote Originally Posted by deano_ferrari View Post
    as long as you don't then add subsequent directives to allow some ICMP requests unintentionally as you appeared to have done in your first post
    Really?? Sorry, I do not understand. What requests have I allowed?

    To see if an ICMP request is currently blocked:
    ~]# firewall-cmd --query-icmp-block=<icmptype>
    https://access.redhat.com/documentat..._icmp_requests

  8. #8
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    20,843
    Blog Entries
    1

    Default Re: How to Block Ping ICMP Requests?

    Quote Originally Posted by aleksejsmir View Post
    Really?? Sorry, I do not understand. What requests have I allowed?
    I may have misunderstood your opening post. From your output, you seemed surprised by the following...

    Code:
    @linux-ofwi:~> sudo firewall-cmd --query-icmp-block=echo-request --zone=drop
    no
    alex@linux-ofwi:~> sudo firewall-cmd --add-icmp-block-inversion --zone=drop
    success
    sudo firewall-cmd --runtime-to-permanent
    success
    alex@linux-ofwi:~> sudo firewall-cmd --query-icmp-block=echo-request --zone=drop
    no
    but what you need to be looking for is that the icmp-block-inversion is active...

    Code:
    ~> sudo firewall-cmd --query-icmp-block-inversion 
    yes
    ...or
    Code:
    sudo firewall-cmd --zone=drop --list-all
    contains
    Code:
    icmp-block-inversion: yes
    openSUSE Leap 15.1; KDE Plasma 5

  9. #9

    Default Re: How to Block Ping ICMP Requests?

    OK, no problem.
    I do it one more time.

    Code:
    alex@linux-ofwi:~> sudo firewall-cmd --add-icmp-block-inversion --zone=drop 
    [sudo] пароль для root:  
    success
    alex@linux-ofwi:~> sudo firewall-cmd --zone=drop --list-all
    drop (active)
      target: DROP
      icmp-block-inversion: yes
      interfaces: eth0 ppp0
      sources:  
      services:  
      ports:  
      protocols:  
      masquerade: no
      forward-ports:  
      source-ports:  
      icmp-blocks:  
      rich rules: 
    alex@linux-ofwi:~> sudo firewall-cmd --query-icmp-block-inversion --zone=drop
    yes
    alex@linux-ofwi:~> sudo firewall-cmd --query-icmp-block=echo-request --zone=drop
    no
    

  10. #10
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    20,843
    Blog Entries
    1

    Default Re: How to Block Ping ICMP Requests?

    Quote Originally Posted by aleksejsmir View Post
    OK, no problem.
    I do it one more time.
    Ok, that should be all that is needed (with the implications that are discussed in the page that I linked to about blocking ICMP traffic).
    openSUSE Leap 15.1; KDE Plasma 5

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •