Hello, I'm transitioning over to firewalld from iptables and one of the iptables rules that I had was to allow ICMP pings to/from other systems on my local subnet, but block ICMP pings to/from systems outside of my local subnet. The systems are all clients so I don't have a LAN/WAN dual network port setup.
When firewall-cmd translates the old iptables into firewalld rules, the subnet portion is removed and I'm left with a block all/unblock all situation. Is there a way to use either a rich rule or a direct rule to allow full ICMP access to specified subnets and block all others? I'm looking for something like: firewall-cmd --permanent --zone=public --add-rich-rule='rule protocol=icmp source address="192.168.100.0/24" accept' firewall-cmd --permanent --zone=public --add-icmp-block=echo-reply,echo-request which I expect to allow any ICMP packet originating from a host in 192.168.100.0/24 but all others are dropped. Thanks! Tom Leach
firewalld-users@lists.fedorahosted.org