Unblocking ICMP Requests on RHEL 7 & 8?

In another post, I’ve talked about with RHEL 7, firewalld has been used to replace iptables. As a security best practice, usually the drop zone (a cutomized zone with the target set to DROP) is enabled by default and additional ports or services are enabled for applications running on a server so that unnecessary protocol & ports are blocked.

You can see what zones are available with the following commands:

root@joetest:~# firewall-cmd --get-zones
block dmz drop external home internal public trusted work

root@joetest:~# firewall-cmd --list-all-zones


root@joetest:~# firewall-cmd --get-default-zone
drop
root@joetest:~# firewall-cmd --get-active-zone
drop
  interfaces: ens192

In the example above, you can see there are 9 zones with the options “–get-zones”. And to see the details for all zones, use the option “–list-all-zones”. As you can see, the default and active zone is the drop zone which is associated with the NIC ens192.

firewall-cmd --list-all
firewall-cmd --zone=<zone-name> --list-all

root@joetest:~# firewall-cmd --zone=block --list-all
block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

To see the details of active zone or a specific zone, use the command above. It is possible to define different sets of rules for different zones and then change the settings quickly by changing the zone for the interface that is being used.

For example, changing the active zone from drop to work for the NIC ens192. It basically remove (–remove-interface) ens192 from the old zone and bind (–add-interface) to the new zone “work”.

firewall-cmd [--permanent] --zone=work --change-interface=ens192

Note that won’t update the default zone and the ZONE setting in the file /etc/sysconfig/network-scripts/ifcfg-ens192 (which is used by NetworkManager) won’t be changed.

With the above knowledge of firewalld zones in mind, let’s take a look ICMP (Internet Control Message Protocol). It is a supporting protocol that is used by various network devices to send error messages and operational information indicating a connection problem. It is not used to exchange data between systems like TCP or UDP.

Unfortunately, ICMP messages, especially echo-request and echo-reply, could reveal information about your network and such information could be misused for various kinds of fraudulent activities. Therefore, ICMP requests are blocked in the drop zone.

However, from time to time, you might face a request to open ICMP requests. Here is what you need to do.

The ICMP requests are described in individual XML files that are located in the /usr/lib/firewalld/icmptypes/ directory. You can read them to see if they are for IPv6 or IPv4 for example. Or use the following commands:

firewall-cmd --get-icmptypes
firewall-cmd --info-icmptype=<icmptype>
firewall-cmd --query-icmp-block=<icmptype>

root@joetest:/opt# firewall-cmd --info-icmptype=echo-request
echo-request
  destination: ipv4 ipv6

The last one above can show you if a ICMP type is blocked or not.

To block a request type:

firewall-cmd --add-icmp-block=<icmptype>

To remove the block of a request type:

firewall-cmd --remove-icmp-block=<icmptype>

By default, when a zone’s target is set to DROP, all ICMP requests are blocked so that your network information is not revealed at all. To enable certain requests, for example, so that other systems can ping your server, you need to unlock echo-request. To do so in a drop zone, first block it, then invert the block

firewall-cmd --add-icmp-block=echo-request --permanent
firewall-cmd --zone=drop --add-icmp-block-inversion --permanent
firewall-cmd --reload

If you don’t give “–permanent” option for the commands above, you can use “–runtime-to-permanent” as below:

firewall-cmd --runtime-to-permanent

The block inversion inverts the setting of the ICMP requests blocks, so all requests, that were not previously blocked (NOT listed in icmp-blocks), are blocked. Those that were blocked (listed in icmp-blocks) are not blocked. Which means that if you need to unblock a request, you must use the blocking command.

This sounds awkward, but this is how firewalld works for a zone with the target DROP. Or you need to switch to a different zone with the target set to ACCEPT and remove any blocked request with “–remove-icmp-block=<request_type>” and block inverstion with “–remove-icmp-block-inversion”.

Another way to enable is to use rich rule

man firewalld.richlanguage
firewall-cmd --permanent --zone=drop --add-rich-rule='rule icmp-type name="echo-request" accept'
firewall-cmd --reload

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s