- Mastering Linux Security and Hardening
- Donald A. Tevault
- 434字
- 2025-02-24 18:55:04
Blocking ICMP
Let's take another look at the status of the default public zone:
[donnie@localhost ~]$ sudo firewall-cmd --info-zone=public
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: ssh dhcpv6-client
ports: 53/tcp 53/udp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[donnie@localhost ~]$
Toward the bottom, we can see the icmp-block line, with nothing beside it. This means that our public zone allows all ICMP packets to come through. This isn't ideal, of course, because there are certain types of ICMP packets that we want to block. Before we block anything, let's look at all of the ICMP types that are available to us:
[donnie@localhost ~]$ sudo firewall-cmd --get-icmptypes
[sudo] password for donnie:
address-unreachable bad-header communication-prohibited destination-unreachable echo-reply echo-request fragmentation-needed host-precedence-violation host-prohibited host-redirect host-unknown host-unreachable ip-header-bad neighbour-advertisement neighbour-solicitation network-prohibited network-redirect network-unknown network-unreachable no-route packet-too-big parameter-problem port-unreachable precedence-cutoff protocol-unreachable redirect required-option-missing router-advertisement router-solicitation source-quench source-route-failed time-exceeded timestamp-reply timestamp-request tos-host-redirect tos-host-unreachable tos-network-redirect tos-network-unreachable ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type unknown-option
[donnie@localhost ~]$
As we did with zones and services, we can view information about the different ICMP types. In this example, we'll look at one ICMPv4 type and one ICMPv6 type:
[donnie@localhost ~]$ sudo firewall-cmd --info-icmptype=network-redirectnetwork-redirect destination: ipv4
[donnie@localhost ~]$ sudo firewall-cmd --info-icmptype=neighbour-advertisementneighbour-advertisement
destination: ipv6
[donnie@localhost ~]$
We've already seen that we're not blocking any ICMP packets. We can also see if we're blocking any specific ICMP packets:
[donnie@localhost ~]$ sudo firewall-cmd --query-icmp-block=host-redirect
no
[donnie@localhost ~]$
We've already established that redirects can be a bad thing since they can be exploited. So, let's block host-redirect packets:
[donnie@localhost ~]$ sudo firewall-cmd --add-icmp-block=host-redirect
success
[donnie@localhost ~]$ sudo firewall-cmd --query-icmp-block=host-redirect
yes
[donnie@localhost ~]$
Now, let's check the status:
[donnie@localhost ~]$ sudo firewall-cmd --info-zone=public
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: ssh dhcpv6-client
ports: 53/tcp 53/udp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks: host-redirect
rich rules:
[donnie@localhost ~]$
Cool – it worked. Now, let's see if we can block two ICMP types with just one command:
[donnie@localhost ~]$ sudo firewall-cmd --add-icmp-block={host-redirect,network-redirect}
success
[donnie@localhost ~]$
As before, we'll check the status:
[donnie@localhost ~]$ sudo firewall-cmd --info-zone=public
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks: host-redirect network-redirect
rich rules:
[donnie@localhost ~]$
This also worked, which means that we have achieved coolness. However, since we didn't include --permanent with these commands, these ICMP types will only be blocked until we reboot the computer. So, let's make them permanent:
[donnie@localhost ~]$ sudo firewall-cmd --runtime-to-permanent
[sudo] password for donnie:
success
[donnie@localhost ~]$
And with this, we've achieved even more coolness. (Of course, all of my cats already think that I'm pretty cool.)