antony@notes:~/networking$ cat "How-to-Block-Ping-ICMP-Requests-with-firewalld.md"
How to Block Ping ICMP Requests with firewalld
How to Block Ping ICMP Requests with firewalld
Understanding predefined zones
- block – All incoming network connections rejected. Only network connections initiated from within the system are possible.
- dmz – Classic demilitarized zone (DMZ) zone that provided limited access to your LAN and only allows selected incoming ports.
- docker – All network connections are accepted for Docker service using docker0 interface.
- drop – All incoming network connections dropped, and only outgoing network connections allowed.
- external – Useful for router type of connections. You need LAN and WAN interfaces too for masquerading (NAT) to work correctly.
- home – Useful for home computers such as laptops and desktops within your LAN where you trust other computers. Allows only selected TCP/IP ports.
- internal – For use on internal networks when you mostly trust the other servers or computers on the LAN.
- public – You do not trust any other computers and servers on the network. You only allow the required ports and services. For cloud servers or server hosted at your place always use public zone.
- trusted – All network connections are accepted. I do not recommend this zone for dedicated servers or VMs connected to WAN.
- work – For use at your workplace where you trust your coworkers and other servers.
# 1. start and enable the firewalld service
$ systemctl enable --now firewalld.service
# 2. Check firewalld service is active
$ systemctl is-active firewalld.service
active
# 3. Print currently active zones altogether with interfaces and sources used in these zones.
$ firewall-cmd --get-active-zones
docker
interfaces: docker0
public
interfaces: eth0
# 4. (optional) Bind interface interface to zone zone. If zone is omitted, default zone will be used.
## 如果在上一步驟發現 public 的 zone 沒有套用在 eth0 這張網卡的話,執行已下命令
$ firewall-cmd --permanent --zone=public --add-interface=eth0
# 5. Add the ICMP block inversion to block all ICMP requests at once
### and Make the new settings persistent
$ firewall-cmd --permanent --add-icmp-block-inversion --zone=public
success
# 6. Reload firewall rules and keep state information.
### Current permanent configuration will become new runtime configuration
$ firewall-cmd --reload
success
# 7. Return whether ICMP block inversion is enabled. Returns 0 if true, 1 otherwise.
$ firewall-cmd --query-icmp-block-inversion
yes
# 8. List everything added or enabled in public zone.
$ firewall-cmd --list-all --zone=public
public (active)
target: default
icmp-block-inversion: yes
interfaces: eth0
sources:
services: ssh suse-manager-server
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules: