3

How are the zones in firewalld configured with respect to ICMP packets? Do they act differently for interfaces and sources?

1. How firewalld filter ICMP packets?

I would assume the main zones act as they are named,

drop : DROP block : REJECT trust : ACCEPT

but how about the other zones? public, external, work, internal, home? Do they by default accept or reject ICMP packets?

2. Does this functionality differ depending on whether the zone is assigned by an interface vs by a source?

For instance, would there be a difference in terms of the source IP:172.28.0.2 in these two settings?

some-zone interfaces: eno1 sources: services: ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules:

vs

some-zone interfaces: sources: 172.28.0.0/16 services: ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules:
Improve this question
1
  • If any of the answers solved your problem, please accept it by clicking the checkmark next to it. Thank you! Commented Nov 26, 2017 at 18:09

2 Answers 2

Reset to default
3

1. How does firewalld handle ICMP packets in the various zones?

From Red Hat's firewalld documentation, specifically this section, titled: 5.15. Configuring Complex Firewall Rules with the "Rich Language" Syntax:

icmp-block uses the action reject internally

(my emphasis, to point out that "drop" and "accept" are not used). The default zones do not appear to block any ICMP types -- see the XML files in /usr/lib/firewalld/zones and the lack of <icmp-block> entries.

To see the current state of any zone-based icmp blocks, run: firewall-cmd --list-all-zones and look for the icmp-blocks: entry.

2. Does this functionality differ depending on whether the zone is assigned by an interface vs by a source?

Not directly. interfaces and sources tell firewalld to select the corresponding zone, which will then have (some or none) icmp-blocks that will apply. See: http://www.firewalld.org/documentation/man-pages/firewall-cmd.html which talks about it:

Binding an interface to a zone means that this zone settings are used to restrict traffic via the interface.

and

Binding a source to a zone means that this zone settings will be used to restrict traffic from this source.

Improve this answer
0
0 
$ grep -i icmp /lib/firewalld/zones/*.xml $ rpm -q firewalld firewalld-0.4.4.1-1.fc24.noarch

so it will be handled by the default target for the zone. Note that man firewall.zone tells us zones without an explicit default will reject packets.

It should also be clear in the GUI.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.