Hello!
I have: rule family="ipv4" source address="185.122.204.97" reject
This results in
chain filter_IN_public_deny { ip saddr 185.122.204.97 reject with icmp port-unreachable }
Is there a way to use firewalld rich-rules to use administratively prohibited instead?
On Sun, Jun 02, 2024 at 11:21:16AM +0200, Marco Moock wrote:
Hello!
I have: rule family="ipv4" source address="185.122.204.97" reject
This results in
chain filter_IN_public_deny { ip saddr 185.122.204.97 reject with icmp port-unreachable }
Is there a way to use firewalld rich-rules to use administratively prohibited instead?
Yes. You need to add the "type" argument to reject. See man page firewalld.richlanguage(5).
Try this:
rule family="ipv4" source address="185.122.204.97" reject type=communication-prohibited
This will use ICMP type 3 code 13.
Am 03.06.2024 um 08:48:28 Uhr schrieb Eric Garver:
rule family="ipv4" source address="185.122.204.97" reject type=communication-prohibited
This will use ICMP type 3 code 13.
Thanks!
At least in Debian, it had to be admin-prohib or icmp-admin-prohibited
rule family="ipv4" source address="185.122.204.97" log reject type="admin-prohib"
For IPv6, this uses other terms:
rule family="ipv6" source address="2001:db8::/32" port port="80" protocol="tcp" log reject type="adm-prohibited"
type=icmp6-adm-prohibited also exists and emits the same ICMPv6 packet. Are there any differences?
The firewalld.richlanguage(5) manpage in Debian doesn't list those types, it only lists icmp-admin-prohibited for IPv4.
Is there a place where all of the types are documented? Should that be documented in this manpage or is there a better place?
On Mon, Jun 03, 2024 at 04:16:46PM +0200, Marco Moock wrote:
Am 03.06.2024 um 08:48:28 Uhr schrieb Eric Garver:
rule family="ipv4" source address="185.122.204.97" reject type=communication-prohibited
This will use ICMP type 3 code 13.
Thanks!
At least in Debian, it had to be admin-prohib or icmp-admin-prohibited
rule family="ipv4" source address="185.122.204.97" log reject type="admin-prohib"
For IPv6, this uses other terms:
rule family="ipv6" source address="2001:db8::/32" port port="80" protocol="tcp" log reject type="adm-prohibited"
type=icmp6-adm-prohibited also exists and emits the same ICMPv6 packet. Are there any differences?
No. They're synonymous.
For ICMPv4 use icmp-admin-prohibited or admin-prohib.
The firewalld.richlanguage(5) manpage in Debian doesn't list those types, it only lists icmp-admin-prohibited for IPv4.
These are under documented. The firewalld man page only refers to the iptables-extensions manpage. That doesn't really make sense. We should list them in the firewalld man pages.
Feel free to file an issue on github.
Is there a place where all of the types are documented? Should that be documented in this manpage or is there a better place?
I think firewalld.richlanguage is the only place it makes sense.
firewalld-users@lists.fedorahosted.org