0

Working from my Arch Console (having not yet installed Openbox), I've installed firewalld, sudo pacman -S firewalld, then, to check that it's overall working, firewall-cmd --panic-on correctly blocks my ping -c 3 8.8.8.8. But is it specifically working for my LAN port enp0s25? When I configure like this:

sudo firewall-cmd --set-default-zone=drop
sudo firewall-cmd --zone=drop --change-interface=enp0s25
firewall-cmd --zone=drop --add-rich-rule='rule family="ipv4" source address="8.8.8.8" reject'

(The last line thanks to Hitesh Jethva.) I can still get a ping from 8.8.8.8. Why, and is there a way from the Console to check that firewalld is working for my interface?

joharr
  • 103
  • 4
  • 1
    Block ICMP responses. That would realistically block all traffic from 8.8.8.8 which you wouldn't want. See this prior post: https://serverfault.com/questions/897297/firewalld-to-block-icmp-traffic-excypt-from-preassigned-ips – Dion Pezzimenti Mar 25 '19 at 01:14
  • Also according to this prior post rich rules aren't even really that necessary: https://serverfault.com/questions/680780/block-all-but-a-few-ips-with-firewalld – Dion Pezzimenti Mar 25 '19 at 01:16

1 Answers1

0

From my understanding you want to block ping towards 8.8.8.8, so that is not source address, it's destination address. You could use rich rules to configure it if there are many IPs that change often.

Generally speaking, you can block ICMP like this:

firewall-cmd --zone=public --add-icmp-block={echo-request,echo-reply,timestamp-reply,timestamp-request} --permanent 

firewall-cmd --reload

You can also use pre-defined lists of IPs/objects. See here how.

Overmind
  • 2,970
  • 2
  • 15
  • 24
  • Nope, that `icmp-block` didn't stop the pings in for my interface in zone `drop`, and neither did setting `source address="138.201.81.199" reject` in my rich rule block `ping archlinux.org`... – joharr Mar 27 '19 at 08:07
  • Neither could I block `pacman -S wget`, nor `wget https://wiki.archlinux.org/index.php/Wget`... – joharr Mar 27 '19 at 08:32