View Issue Details

IDProjectCategoryView StatusLast Update
0016751CentOS-8firewalldpublic2019-11-19 12:28
Status newResolutionopen 
Product Version8.0.1905 
Target VersionFixed in Version 
Summary0016751: Rich rules do not work as intended when attempting to limit ICMP traffic.
DescriptionI've got a vanilla server running CentOS8 on the network range with local IP:

I want to grant ICMP and SSH access to a single host ( only, using rich rules on a custom zone which its target set to DROP traffic.

There seems to be a bug on the processing of the rich rules when attempting to limit ICMP traffic.

With the provided configuration any host in the network range can send ICMP pings to the server, and not only just the host as intended.

This affects only ICMP, the rule that regulates TCP access to port 22 works as expected.

The expected behaviour is that ICMP traffic should only be accepted for the host with IP, ICMP traffic from any other host should be dropped.

I believe this to be a bug.
Steps To ReproduceHow to reproduce the bug: = IP That we want to allow both SSH and ICMP access, change it to the IP you intend to use for testing.

ens3 = Interface name, change it to your interface name

# Create a new zone
firewall-cmd --permanent --new-zone=000-interwebs

# Set the zone target to DROP
firewall-cmd --permanent --zone=000-interwebs --set-target=DROP

# Set the new zone to be the default zone
firewall-cmd --set-default-zone=000-interwebs

# Attach the interface to the new zone
firewall-cmd --permanent --change-zone=ens3 --zone=000-interwebs

# Add two rich rules
firewall-cmd --permanent --zone=000-interwebs --add-rich-rule='rule family=ipv4 source address="" port port=22 protocol=tcp accept'
firewall-cmd --permanent --zone=000-interwebs --add-rich-rule='rule family=ipv4 source address="" protocol value=icmp accept'

# Reload the configuration
firewall-cmd --reload

Ping the server IP from any host in the network other than, it should drop the ICMP request, however firewalld allow's the ICMP traffic to go through.
TagsNo tags attached.


There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2019-11-19 12:28 cuf-centos New Issue