Results 1 to 6 of 6

Thread: icmp allowed by default

  1. #1

    Default icmp allowed by default

    hi, public zone is a default zone and no traffic allowed inbound on this zone but icmp and traceroute are still functional inbound on this zone. only after configuring additional rules icmp and traceroute are blocked. any suggestion is appreciated.

  2. #2
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    22,081
    Blog Entries
    1

    Default Re: icmp allowed by default

    This thread may be of interest to you.
    openSUSE Leap 15.2; KDE Plasma 5

  3. #3

    Default Re: icmp allowed by default

    yeah, thank you, i read it but my question is why when all inbound traffic is blocked but icmp is functional? is this bug or something else?

  4. #4
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    22,081
    Blog Entries
    1

    Default Re: icmp allowed by default

    No, it isn't a bug.The behaviour can be configured as required. There are implications with blocking ICMP traffic though, it can cause issues with IPv6 traffic for example. If you truly want to drop ICMP packets, read on....

    This Red Hat security guide offers some comprehensive information about configuring firewalld to manage ICMP traffic.

    For example:
    5.11.3. Blocking ICMP Requests without Providing any Information at All




    Normally, if you block ICMP requests, clients know that you are blocking it. So, a potential attacker who is sniffing for live IP addresses is still able to see that your IP address is online. To hide this information completely, you have to drop all ICMP requests.
    To block and drop all ICMP requests:

    • Set the target of your zone to DROP:
      ~]# firewall-cmd --set-target=DROP
    • Make the new settings persistent:
      ~]# firewall-cmd --runtime-to-permanent


    Now, all traffic, including ICMP requests, is dropped, except traffic which you have explicitly allowed.
    Last edited by deano_ferrari; 17-Jul-2020 at 02:38.
    openSUSE Leap 15.2; KDE Plasma 5

  5. #5

    Default Re: icmp allowed by default

    thank you, very helpful info

  6. #6

    Default Re: icmp allowed by default

    Well, without any offense - ICMP is the Internet Control Message Protocol - its name implies it has to do something with how networks work down at the wire level and is at least somewhat require to have a propper working network. So, by dropping ICMP you could actually cause more issues than you may try to solve. Also: Modern routers work in a way so that when there's some machine the packets are routed - and then dropped by you. If you want to hide that "dropping" actually reveals you as some upstream router would had already replied back with some fail message if it had determined that the requested address isn't available. Or, to put it this way: There're normal online systems, there'Re offline/disconnected ports - and then there'Re some paranoid people like you (or my dead) lighting up their stuff like a christmas tree cause they fail to understand that there's no such thing as like "hide away my system from the outside world" or "if I block anything nothing can harm me".

    My dad has some similar habbit by regular breaking his Win7 I set up correctly by trying to lock it down as he doesn't understand that there're some service required to work correctly in order for the OS itself run stable. I stopped counting the times I had to wipe and reinstall the system as he didn't wanted to learn that he was causing that issues by his mistakes. At some point (iirc it was to his 50th birthday) I build and set up a newly system for him and told him to not lock it down as I don't want to come around every other week to fix it - well - he didn't learned and hence I just don't have the time right now he now suffers from an unstable system (last time we met he had some files he wasn't able to get rid of as they kept re-appearing after reboot - I just told him: Well, aside from some malicious software or infection it may caused by your paranoia - as I don't have these issues with the same system as you.)

    TLDR: Just don't bother but let ICMP do it'S work - as for what ever reason you may think you might be required to lock it down - I suspect there's a lot of miss-understanding combined with a bit of "done for the wrong reason".

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •