icmp allowed by default

**marley** · 17-Jul-2020, 01:43

hi, public zone is a default zone and no traffic allowed inbound on this zone but icmp and traceroute are still functional inbound on this zone. only after configuring additional rules icmp and traceroute are blocked. any suggestion is appreciated.

**deano_ferrari** · 17-Jul-2020, 01:47

This thread may be of interest to you.

**marley** · 17-Jul-2020, 01:53

yeah, thank you, i read it but my question is why when all inbound traffic is blocked but icmp is functional? is this bug or something else?

**deano_ferrari** · 17-Jul-2020, 02:15

No, it isn't a bug.The behaviour can be configured as required. There are implications with blocking ICMP traffic though, it can cause issues with IPv6 traffic for example. If you truly want to drop ICMP packets, read on....

This Red Hat security guide offers some comprehensive information about configuring firewalld to manage ICMP traffic.

For example:

5.11.3. Blocking ICMP Requests without Providing any Information at All

Normally, if you block ICMP requests, clients know that you are blocking it. So, a potential attacker who is sniffing for live IP addresses is still able to see that your IP address is online. To hide this information completely, you have to drop all ICMP requests.
To block and drop all ICMP requests:

Set the target of your zone to DROP:
~]# firewall-cmd --set-target=DROP
Make the new settings persistent:
~]# firewall-cmd --runtime-to-permanent

Now, all traffic, including ICMP requests, is dropped, except traffic which you have explicitly allowed.

**marley** · 17-Jul-2020, 02:24

thank you, very helpful info

**cryptearth** · 21-Jul-2020, 20:26

Well, without any offense - ICMP is the Internet Control Message Protocol - its name implies it has to do something with how networks work down at the wire level and is at least somewhat require to have a propper working network. So, by dropping ICMP you could actually cause more issues than you may try to solve. Also: Modern routers work in a way so that when there's some machine the packets are routed - and then dropped by you. If you want to hide that "dropping" actually reveals you as some upstream router would had already replied back with some fail message if it had determined that the requested address isn't available. Or, to put it this way: There're normal online systems, there'Re offline/disconnected ports - and then there'Re some paranoid people like you (or my dead) lighting up their stuff like a christmas tree cause they fail to understand that there's no such thing as like "hide away my system from the outside world" or "if I block anything nothing can harm me".

My dad has some similar habbit by regular breaking his Win7 I set up correctly by trying to lock it down as he doesn't understand that there're some service required to work correctly in order for the OS itself run stable. I stopped counting the times I had to wipe and reinstall the system as he didn't wanted to learn that he was causing that issues by his mistakes. At some point (iirc it was to his 50th birthday) I build and set up a newly system for him and told him to not lock it down as I don't want to come around every other week to fix it - well - he didn't learned and hence I just don't have the time right now he now suffers from an unstable system (last time we met he had some files he wasn't able to get rid of as they kept re-appearing after reboot - I just told him: Well, aside from some malicious software or infection it may caused by your paranoia - as I don't have these issues with the same system as you.)

TLDR: Just don't bother but let ICMP do it'S work - as for what ever reason you may think you might be required to lock it down - I suspect there's a lot of miss-understanding combined with a bit of "done for the wrong reason".