5.11. Managing ICMP Requests

The Internet Control Message Protocol (ICMP) is a supporting protocol that is used by various network devices to send error messages and operational information indicating a connection problem, for example, that a requested service is not available. ICMP differs from transport protocols such as TCP and UDP because it is not used to exchange data between systems.
Unfortunately, it is possible to use the ICMP messages, especially echo-request and echo-reply, to reveal information about your network and misuse such information for various kinds of fraudulent activities. Therefore, firewalld enables blocking the ICMP requests to protect your network information.

5.11.1. Listing ICMP Requests

The ICMP requests are described in individual XML files that are located in the /usr/lib/firewalld/icmptypes/ directory. You can read these files to see a description of the request. The firewall-cmd command controls the ICMP requests manipulation.
To list all available ICMP types:
~]# firewall-cmd --get-icmptypes
The ICMP request can be used by IPv4, IPv6, or by both protocols. To see for which protocol the ICMP request is used:
~]# firewall-cmd --info-icmptype=<icmptype>
The status of an ICMP request shows yes if the request is currently blocked or no if it is not. To see if an ICMP request is currently blocked:
~]# firewall-cmd --query-icmp-block=<icmptype>

5.11.2. Blocking or Unblocking ICMP Requests

When your server blocks ICMP requests, it does not provide the information that it normally would. However, that does not mean that no information is given at all. The clients receive information that the particular ICMP request is being blocked (rejected). Blocking the ICMP requests should be considered carefully, because it can cause communication problems, especially with IPv6 traffic.
To see if an ICMP request is currently blocked:
~]# firewall-cmd --query-icmp-block=<icmptype>
To block an ICMP request:
~]# firewall-cmd --add-icmp-block=<icmptype>
To remove the block for an ICMP request:
~]# firewall-cmd --remove-icmp-block=<icmptype>

5.11.3. Blocking ICMP Requests without Providing any Information at All

Normally, if you block ICMP requests, clients know that you are blocking it. So, a potential attacker who is sniffing for live IP addresses is still able to see that your IP address is online. To hide this information completely, you have to drop all ICMP requests.
To block and drop all ICMP requests:
  1. Set the target of your zone to DROP:
    ~]# firewall-cmd --set-target=DROP
  2. Make the new settings persistent:
    ~]# firewall-cmd --runtime-to-permanent
Now, all traffic, including ICMP requests, is dropped, except traffic which you have explicitly allowed.
To block and drop certain ICMP requests and allow others:
  1. Set the target of your zone to DROP:
    ~]# firewall-cmd --set-target=DROP
  2. Add the ICMP block inversion to block all ICMP requests at once:
    ~]# firewall-cmd --add-icmp-block-inversion
  3. Add the ICMP block for those ICMP requests that you want to allow:
    ~]# firewall-cmd --add-icmp-block=<icmptype>
  4. Make the new settings persistent:
    ~]# firewall-cmd --runtime-to-permanent
The block inversion inverts the setting of the ICMP requests blocks, so all requests, that were not previously blocked, are blocked. Those that were blocked are not blocked. Which means that if you need to unblock a request, you must use the blocking command.
To revert this to a fully permissive setting:
  1. Set the target of your zone to default or ACCEPT:
    ~]# firewall-cmd --set-target=default
  2. Remove all added blocks for ICMP requests:
    ~]# firewall-cmd --remove-icmp-block=<icmptype>
  3. Remove the ICMP block inversion:
    ~]# firewall-cmd --remove-icmp-block-inversion
  4. Make the new settings persistent:
    ~]# firewall-cmd --runtime-to-permanent

5.11.4. Configuring the ICMP Filter using GUI

To enable or disable an ICMP filter, start the firewall-config tool and select the network zone whose messages are to be filtered. Select the ICMP Filter tab and select the check box for each type of ICMP message you want to filter. Clear the check box to disable a filter. This setting is per direction and the default allows everything.
To edit an ICMP type, start the firewall-config tool and select Permanent mode from the menu labeled Configuration. Additional icons appear at the bottom of the Services window. Select Yes in the following dialog to enable masquerading and to make forwarding to another machine working.
To enable inverting the ICMP Filter, click the Invert Filter check box on the right. Only marked ICMP types are now accepted, all other are rejected. In a zone using the DROP target, they are dropped.