I am new to firewalld having used Shorewall previously. I'm intrigued by the fact that remove-icmp-block-inversion can be used in zones but not policies. What is the reason for this?
Regards
Tony
On Fri, Apr 05, 2024 at 04:23:17PM +0100, Tony Middleton wrote:
I am new to firewalld having used Shorewall previously. I'm intrigued by the fact that remove-icmp-block-inversion can be used in zones but not policies. What is the reason for this?
I deliberately left it out of policies because I consider it a misfeature. Blocking ICMP is bad [1].
In policies, you can still block specific ICMP types/codes with --add-icmp-block. You can block all ICMP with a rich rule, e.g. --add-rich-rule='rule family=ipv4 protocol value=icmp drop'.
Hope that helps. Eric.
firewalld-users@lists.fedorahosted.org