How to Block Ping ICMP Requests?

Hi,
Please tell me why I can’t block ICMP requests?
Reproduce:

alex@linux-ofwi:~> sudo firewall-cmd --list-all-zone
[sudo] пароль для root: 
---------
drop (active)
  target: DROP
  icmp-block-inversion: no
  interfaces: eth0 ppp0
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
----------
alex@linux-ofwi:~> sudo firewall-cmd --query-icmp-block=echo-request --zone=drop
no
alex@linux-ofwi:~> sudo firewall-cmd --add-icmp-block-inversion --zone=drop
success
sudo firewall-cmd --runtime-to-permanent
success
alex@linux-ofwi:~> sudo firewall-cmd --query-icmp-block=echo-request --zone=drop
no

How to do it right?

I would block it via the kernel “on the fly” with

sysctl -w net.ipv4.icmp_echo_ignore_all=1

That will take immediate effect.

If you want to make it permanent, then add ‘net.ipv4.icmp_echo_ignore_all=1’ to /etc/sysctl.conf

echo "net.ipv4.icmp_echo_ignore_all=1 >> /etc/sysctl.conf

and then apply using

sysctl -p

BTW, when I invoked firewall rules to inhibit ICMP echo replies and echo requests (and not inhibited via the kernel mechanism)…

# firewall-cmd --zone=public --add-icmp-block=echo-reply
success
 # firewall-cmd --zone=public --add-icmp-block=echo-request
success

…I found the following reported from a Windows client

C:\Users\OEM>ping 192.168.0.12

Pinging 192.168.0.12 with 32 bytes of data:
Reply from 192.168.0.12: Destination host unreachable.
Reply from 192.168.0.12: Destination host unreachable.

Whereas, the former method (sysctl -w net.ipv4.icmp_echo_ignore_all=1) results in the following response

C:\Users\OEM>ping 192.168.0.12

Pinging 192.168.0.12 with 32 bytes of data:
Request timed out.
Request timed out.

OK thanks.
But I would like to know how to block the entire range of requests:

alex@linux-ofwi:~> firewall-cmd --get-icmptypes 
address-unreachable bad-header beyond-scope communication-prohibited destination-unreachable echo-reply echo-request failed-policy fragment
ation-needed host-precedence-violation host-prohibited host-redirect host-unknown host-unreachable ip-header-bad neighbour-advertisement ne
ighbour-solicitation network-prohibited network-redirect network-unknown network-unreachable no-route packet-too-big parameter-problem port
-unreachable precedence-cutoff protocol-unreachable redirect reject-route required-option-missing router-advertisement router-solicitation 
source-quench source-route-failed time-exceeded timestamp-reply timestamp-request tos-host-redirect tos-host-unreachable tos-network-redire
ct tos-network-unreachable ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type unknown-option

I do not understand why I can not do this through firewall:

sudo firewall-cmd --add-icmp-block-inversion --zone=drop

?

You can, and the above directive should do just that, (as long as you don’t then add subsequent directives to allow some ICMP requests unintentionally as you appeared to have done in your first post).

The block inversion inverts the setting of the ICMP requests blocks, so all requests, that were not previously blocked, are blocked. Those that were blocked are not blocked. Which means that if you need to unblock a request, you must use the blocking command.

BTW, before dropping all ICMP types it’s worth reading the following appraisal on the subject…

http://shouldiblockicmp.com/

Really?? Sorry, I do not understand. What requests have I allowed?

To see if an ICMP request is currently blocked:
~]# firewall-cmd --query-icmp-block=<icmptype>

I may have misunderstood your opening post. From your output, you seemed surprised by the following…

@linux-ofwi:~> sudo firewall-cmd --query-icmp-block=echo-request --zone=drop
no
alex@linux-ofwi:~> sudo firewall-cmd --add-icmp-block-inversion --zone=drop
success
sudo firewall-cmd --runtime-to-permanent
success
alex@linux-ofwi:~> sudo firewall-cmd --query-icmp-block=echo-request --zone=drop
no

but what you need to be looking for is that the icmp-block-inversion is active…

~> sudo firewall-cmd --query-icmp-block-inversion 
yes

…or

sudo firewall-cmd --zone=drop --list-all

contains

icmp-block-inversion: yes

OK, no problem.
I do it one more time. :slight_smile:

alex@linux-ofwi:~> sudo firewall-cmd --add-icmp-block-inversion --zone=drop 
[sudo] пароль для root:  
success
alex@linux-ofwi:~> sudo firewall-cmd --zone=drop --list-all
drop (active)
  target: DROP
  icmp-block-inversion: yes
  interfaces: eth0 ppp0
  sources:  
  services:  
  ports:  
  protocols:  
  masquerade: no
  forward-ports:  
  source-ports:  
  icmp-blocks:  
  rich rules: 
alex@linux-ofwi:~> sudo firewall-cmd --query-icmp-block-inversion --zone=drop
yes
alex@linux-ofwi:~> sudo firewall-cmd --query-icmp-block=echo-request --zone=drop
no

Ok, that should be all that is needed (with the implications that are discussed in the page that I linked to about blocking ICMP traffic).

it works even in opensuse 42.3
thnx

im having a lot of registration attempt how can i block all ips except one ip ?

the server is on cloud

thnx in advance