I’m having an issue where the " set firewall all-ping ‘enable’ "command does not appear to work as expected. ICMP only works when I add an rule to the OUTSIDE local firewall rule as below.
set firewall name OUTSIDE-LOCAL rule 10 action ‘accept’
set firewall name OUTSIDE-LOCAL rule 10 protocol ‘icmp’
set firewall name OUTSIDE-LOCAL rule 10 state established ‘enable’
set firewall name OUTSIDE-LOCAL rule 10 state new ‘enable’
set firewall name OUTSIDE-LOCAL rule 10 state related ‘enable’
I read the docs on 1.3.2 highlighted below but the only caveat I see is that this would fail if you have an explicit rule such as “deny icmp” in one the local rules. I do not have this, I do however have the default rule set to drop but this is expected. Any ideas or anyone else seeing this?
## Global settings
Some firewall settings are global and have an affect on the whole system.
set firewall all-ping [enable | disable]
By default, when VyOS receives an ICMP echo request packet destined for itself, it will answer with an ICMP echo reply, unless you avoid it through its firewall.
With the firewall you can set rules to accept, drop or reject ICMP in, out or local traffic. You can also use the general firewall all-ping command. This command affects only to LOCAL (packets destined for your VyOS system), not to IN or OUT traffic.
firewall all-ping affects only to LOCAL and it always behaves in the most restrictive way
set firewall all-ping enable
When the command above is set, VyOS will answer every ICMP echo request addressed to itself, but that will only happen if no other rule is applied dropping or rejecting local echo requests. In case of conflict, VyOS will not answer ICMP echo requests.
set firewall all-ping disable
When the command above is set, VyOS will answer no ICMP echo request addressed to itself at all, no matter where it comes from or whether more specific rules are being applied to accept them.’