ICMP and Firwall

runlevel6 · November 5, 2019, 10:44pm

It is my understanding of the firewall “all-ping” is that:

Disabling all-ping will drop all ping requests destined for the router, no questions asked…
-On The Other Hand-
Enabling all-ping will accept all ping requests destined for the router, but you can write firewall rules to get more granular with control over pings…

I am attempting to block certain networks, and would also like to drop pings from those same networks, while allowing them from everywhere else…

My main question is: Do I have to write rules to expressly drop pings from the bad networks? Or should that be covered under dropping “all” protocol?

My current rules are working to block tcp and udp services, but are still accepting ping requests.

xrobau · November 5, 2019, 10:47pm

Please don’t drop ping requests. Rate limit them, sure, but don’t drop them. There is no sane reason why anyone would want to drop a really useful network diagnostic tool. Don’t filter ANY ICMP, it’s required for the internet to work 8)

s.lorente · November 5, 2019, 11:03pm

Hi,

I think your answer is here:

https://vyos.readthedocs.io/en/latest/firewall.html#how-vyos-replies-when-being-pinged