Where does firewalld map it's ICMP types located in /usr/lib/firewalld/icmptypes to actual ICMP types like these: https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml.
For example, I don't see anything in echo-request.xml indicating it's ICMP type 8, so how does the firewall know when filtering ICMP packets?
Thanks,
Scott
On Fri, Aug 28, 2020 at 10:56:30PM -0000, Scott A. Wozny wrote:
Where does firewalld map it's ICMP types located in /usr/lib/firewalld/icmptypes to actual ICMP types like these: https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml.
For example, I don't see anything in echo-request.xml indicating it's ICMP type 8, so how does the firewall know when filtering ICMP packets?
For the iptables backend the icmptype name is passed verbatim to iptables. firewalld's icmptype names are actually derived from iptables.
For nftables they're translated [1] into nftables's names and/or type/code.
[1]: https://github.com/firewalld/firewalld/blob/956db5ecc15be55d49611e05c23c1e3e...
Ah! I was looking for it somewhere in config (like the services) but there it is in code! I KNEW it wasn't magic. 🙂
Also, your comment about the iptables icmptype(s) led me to `iptables -p icmp -h` so I appreciate that. I'm sure the mechanics behind that are located inside iptables' code, but I think I have what I need, at this point.
Thanks very much for taking the time to reply.
Scott
________________________________ From: Eric Garver egarver@redhat.com Sent: August 29, 2020 8:42 AM To: Scott A. Wozny sawozny@hotmail.com Cc: firewalld-users@lists.fedorahosted.org firewalld-users@lists.fedorahosted.org Subject: Re: Firewalld ICMP types
On Fri, Aug 28, 2020 at 10:56:30PM -0000, Scott A. Wozny wrote:
Where does firewalld map it's ICMP types located in /usr/lib/firewalld/icmptypes to actual ICMP types like these: https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml.
For example, I don't see anything in echo-request.xml indicating it's ICMP type 8, so how does the firewall know when filtering ICMP packets?
For the iptables backend the icmptype name is passed verbatim to iptables. firewalld's icmptype names are actually derived from iptables.
For nftables they're translated [1] into nftables's names and/or type/code.
[1]: https://github.com/firewalld/firewalld/blob/956db5ecc15be55d49611e05c23c1e3e...
firewalld-users@lists.fedorahosted.org