Allow ICMPv4 and ICMPv6 Echo Request to reach the CML labs #12
Description
Before:
$ ping 172.98.19.221
PING 172.98.19.221 (172.98.19.221): 56 data bytes
92 bytes from 172.98.19.192: Communication prohibited by filter
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 c3b9 0 0000 39 01 4b43 10.26.168.83 172.98.19.221
92 bytes from 172.98.19.192: Communication prohibited by filter
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 c3b9 0 0000 39 01 4b43 10.26.168.83 172.98.19.221
Request timeout for icmp_seq 0
92 bytes from 172.98.19.192: Communication prohibited by filter
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 646f 0 0000 39 01 aa8d 10.26.168.83 172.98.19.221
$ ping6 2602:80A:F004:200::1
PING 2602:80A:F004:200::1(2602:80a:f004:200::1) 56 data bytes
From 2602:80a:f004:301:: icmp_seq=1 Destination unreachable: Administratively prohibited
From 2602:80a:f004:301:: icmp_seq=2 Destination unreachable: Administratively prohibited
^C
--- 2602:80A:F004:200::1 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1001ms
After:
$ ping 172.98.19.193
PING 172.98.19.193 (172.98.19.193) 56(84) bytes of data.
64 bytes from 172.98.19.193: icmp_seq=1 ttl=243 time=23.2 ms
64 bytes from 172.98.19.193: icmp_seq=2 ttl=243 time=23.1 ms
64 bytes from 172.98.19.193: icmp_seq=3 ttl=243 time=23.0 ms
^C
--- 172.98.19.193 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 23.089/23.184/23.298/0.195 ms
$ ping6 2602:80A:F004:200::1
PING 2602:80A:F004:200::1(2602:80a:f004:200::1) 56 data bytes
64 bytes from 2602:80a:f004:200::1: icmp_seq=1 ttl=55 time=23.4 ms
64 bytes from 2602:80a:f004:200::1: icmp_seq=2 ttl=55 time=23.0 ms
64 bytes from 2602:80a:f004:200::1: icmp_seq=3 ttl=55 time=22.6 ms
^C
--- 2602:80A:F004:200::1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 22.686/23.055/23.439/0.354 ms
Firewalld config:
firewall-cmd --permanent --new-policy=to_cml_labs
firewall-cmd --permanent --policy=to_cml_labs --add-egress-zone=dmz
firewall-cmd --permanent --policy=to_cml_labs --add-ingress-zone=public
firewall-cmd --permanent --policy=to_cml_labs --add-rich-rule='rule family="ipv4" destination address="172.98.19.192/27" icmp-type name="echo-request" accept'
firewall-cmd --permanent --policy=to_cml_labs --add-rich-rule='rule family="ipv6" destination address="2602:80a:f004:200::/56" icmp-type name="echo-request" accept'
firewall-cmd --permanent --policy=to_cml_labs --set-target=REJECT
firewall-cmd --reload
firewall-cmd --info-policy=to_cml_labs
to_cml_labs (active)
priority: -1
target: REJECT
ingress-zones: public
egress-zones: dmz
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" destination address="172.98.19.192/27" icmp-type name="echo-request" accept
rule family="ipv6" destination address="2602:80a:f004:200::/56" icmp-type name="echo-request" accept
Tested and verified that SSH and other ports are still blocked.