Block ping via firewall-cmd

Support for security such as Firewalls and securing linux
Post Reply
hack3rcon
Posts: 757
Joined: 2014/11/24 11:04:37

Block ping via firewall-cmd

Post by hack3rcon » 2020/06/26 11:47:40

Hello,
I'm using below command:

Code: Select all

# firewall-cmd --zone=public --query-icmp-block=echo-reply
And the output is:

Code: Select all

no
And ping working!!!
How can I block ping?

Thank you.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Block ping via firewall-cmd

Post by jlehtone » 2020/06/26 18:42:45

How did you know to do --query-icmp-block=echo-reply and what does the no tell you?

https://access.redhat.com/documentation ... p_requests

hack3rcon
Posts: 757
Joined: 2014/11/24 11:04:37

Re: Block ping via firewall-cmd

Post by hack3rcon » 2020/07/01 09:08:01

I did:

Code: Select all

$ sudo firewall-cmd --zone=public --query-icmp-block=echo-reply
no

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Block ping via firewall-cmd

Post by jlehtone » 2020/07/01 13:47:43

It was already clear that you did ask from the configuration:
"Is zone public set to block echo replies?"

I did ask "How did you know to use that command?"
I did ask that to find out what you know.
To configure firewall is something that requires that one knows and understands, rather than copy-pastes.

I did ask, what the "no" means. What it means that zone public is not set to block echo replies?
You did seem surprised that ping works even though you had done nothing to block it.


Lets presume that you would block echo replies. How would that affect ping?
Some machine sends echo request to your machine. That is not blocked. Your machine sends echo reply.
The block rule is probably in INPUT, not OUTPUT, and therefore that reply would not be blocked.

Your machine sends echo request somewhere. The other machine sends echo reply.
Does the reply get accepted by "allow existing connections" rule, or will it be blocked by the "block reply" rule?
I have not looked in how firewalld implements the block, so I don't know the answer atm.

Post Reply