1

I can't seem to block ping requests to my server. I also followed the following post: Block ICMP timestamp & timestamp reply with firewalld

# firewall-cmd --zone=public --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client http ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: echo-reply timestamp-reply timestamp-request
  rich rules: 

# firewall-cmd --get-icmptypes
destination-unreachable echo-reply echo-request parameter-problem redirect router-advertisement router-solicitation source-quench time-exceeded timestamp-reply timestamp-request

And I also did a reload (firewall-cmd --reload), but was still able to ping my server. I'm not sure what else I have to do in order to block pings to my server.

Community
  • 1
Ben
  • 111
  • 1
  • 2
  • 4
    Why do you want to do this? It's considered very poor practice to block ICMP of any type. – EEAA Mar 01 '17 at 07:52
  • I thought blocking ICMP packets are good for preventing some potential DDOS attacks or something. Why is it poor practice to block ICMP of any type? – Ben Mar 01 '17 at 20:17
  • 2
    Because ICMP is used by servers and clients to discover critical information about the path between them ([PMTUD](https://en.wikipedia.org/wiki/Path_MTU_Discovery) for instance), and by blocking ICMP, you're prohibiting that functionality. Blocking ICMP is even *more* damaging if you're using IPv6. – EEAA Mar 01 '17 at 20:24
  • Ah I see. Thanks; I'll remove the ICMP blocks then. – Ben Mar 01 '17 at 20:36

0 Answers0