How can I “no response from host” the vyos ip address that shows traceroute?
my vyos ip x.x.x.120
i dont want see my vyos ip address on traceroute
if i closed icmp on firewall my bgp sessions are down and router network is down
note: router ip is not in bgp my router ip static routed to me
i tried this firewall commands
set interfaces ethernet eth3 firewall local name ‘management-filter’
set firewall name management-filter rule 5 action drop
set firewall name management-filter rule 5 protocol icmp
I don’t work with BGP so this may not work, but if your connection goes down when enabling icmp drop, why add a rule before drop to allow icmp from BGP neighbors?
IIRC firewall rules have a default action of ‘drop’ unless otherwise specified. So if your firewall policy only has one rule which is dropping icmp it will also by default drop all other traffic. You need to create another rule to allow desired traffic or add a default action to the firewall policy, e.g.
set firewall name management-filter default-action accept
Obviously it goes without saying you need to determine if that is appropriate for your environment. If eth3 is an internet connection and the firewall policy is applied local then that is dealing with traffic to your vyos router itself. Denying ICMP but allowing everything else to the vyos router may or may not be appropriate and is up to you to decide. If it’s not then you should do as firedrow suggested and allow just your BGP peer and whatever else you may need.
