Firewalld: only allow ICMP and SSH from specific IP

Question

I am trying to use Firewalld to restrict access to/from a Linux server

Environment

the Linux server has a single network interface: ens160

Requirements

It shall allow only machines with IP addresses 192.168.3.0/24 to reach this Linux server using SSH and ICMP
None of the other IP addresses or services should be able to reach this Linux server

Configurations made

sudo firewall-cmd --set-default-zone=internal
sudo firewall-cmd --permanent --zone=internal --add-interface=ens160 
sudo firewall-cmd --permanent --zone=internal --add-icmp-block={echo-request,echo-reply} 
sudo firewall-cmd --permanent --zone=internal --add-rich-rule='rule family="ipv4" \
    source address="192.168.3.0/24" service name="ssh" accept'
sudo firewall-cmd --permanent --zone=internal --add-rich-rule='rule family="ipv4" \
    source address="192.168.3.0/24" icmp-type name="echo-request" accept'
sudo firewall-cmd --permanent --zone=internal --add-rich-rule='rule family="ipv4" \
    source address="192.168.3.0/24" icmp-type name="echo-reply" accept'

Configurations status

user@server:~$ sudo firewall-cmd --list-all
internal (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens160
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks: echo-reply echo-request
  rich rules:
        rule family="ipv4" source address="192.168.3.0/24" service name="ssh" accept
        rule family="ipv4" source address="192.168.3.0/24" icmp-type name="echo-request" accept
        rule family="ipv4" source address="192.168.3.0/24" icmp-type name="echo-reply" accept

Verification results

It works on SSH:

IP addresses other than 192.168.3.0/24 cannot use SSH to connect to the Linux server.

It does not seem to work on ICMP:

IP addresses 192.168.3.0/24 cannot ping the Linux server

I know the problem could probably lie with "icmp-blocks: echo-reply echo-request" which blocks all ICMP traffic, and the two icmp rich rules. I googled a lot and just couldn't find the right solution.

Can someone help me out here? Much appreciated.

score 1 · Answer 1 · answered Dec 11 '23 at 10:36

I realise this is an old post, but I'm going through my own firewalld learning curve and thought this might help others who stumble upon this question.

I found the commands in the OP's original post useful, and I think the reason it didn't work might be because the icmp-block-inversion is still set to no, also it's possible the --reload wasn't done, the following commands should fix this:

$ sudo firewall-cmd --permanent --zone=internal --add-icmp-block-inversion
$ sudo firewall-cmd --reload

I'm curious about the comment that "Rich rules aren't a good way to do this ...", why?

My specific requirement is to prevent all hosts using ping, and yes, I know this doesn't add much security, but you try telling the security PMs, sigh. However, I've found that when an Oracle server tries to initiate a backup, the NetBackup server uses ping for some reason and the backup fails because it's blocked. So I made the following changes to the zone which appear to work (the .0.50 address is the NB server):

$ sudo firewall-cmd --permanent --zone=internal --add-icmp-block-inversion
$ sudo firewall-cmd --permanent --zone=internal --add-rich-rule='family="ipv4" source address="192.168.0.50/32" icmp-type name="echo-request" accept'
$ sudo firewall-cmd --permanent --zone=internal --add-rich-rule='family="ipv4" source address="192.168.0.50/32" icmp-type name="echo-reply" accept'
$ sudo firewall-cmd --reload

Am I barking up the wrong tree, because the link in the comment about rich rules seems to imply having a unique zone just for the NetBackup server, but the interface that it tries to ping is the production one used for all other access that is permitted.

I hope this makes sense and welcome any comments or suggestions.

Cheers,

Nick