Hiho "erig0" ... ;)
... me again :/
I can reach hosts on the internet via ICMP from a host that is behind this host, regardless of whether it is via IPv4 or IPv6. Thanks to the excellent support from Eric Garver, everything is running smoothly! :)
Now I would like to create a rich rule for "ICMP v6" for selected hosts, so that I can ping these selected hosts from the outside.
Like for example:
# firewall-cmd --permanent --policy edmz_2_idmz \ --add-rich-rule='rule family="ipv6" \ destination address="2003:a:bbb:cc03:10::110" \ icmp-type name=echo-request accept'
Is that okay or am I taking the cake? :) Or should I better add a limit with the help of e.g. "... accept limit value=10/s"?
ttyl Django
On Mon, Jan 29, 2024 at 09:47:59PM +0100, Django [Bastard Operator from Hell] wrote:
Hiho "erig0" ... ;)
:D :D
... me again :/
I can reach hosts on the internet via ICMP from a host that is behind this host, regardless of whether it is via IPv4 or IPv6. Thanks to the excellent support from Eric Garver, everything is running smoothly! :)
Now I would like to create a rich rule for "ICMP v6" for selected hosts, so that I can ping these selected hosts from the outside.
Like for example:
# firewall-cmd --permanent --policy edmz_2_idmz \ --add-rich-rule='rule family="ipv6" \ destination address="2003:a:bbb:cc03:10::110" \ icmp-type name=echo-request accept'
Is that okay or am I taking the cake? :) Or should I better add a limit with the help of e.g. "... accept limit value=10/s"?
That should work.
A limit is not necessary, but can certainly be used.
The target of the ICMP ping (echo-request) should have its own rate limiting. Linux for example has various sysctls for limiting the sending of ICMP packets.
See the sysctls starting with "icmp_":
https://www.kernel.org/doc/html/latest/networking/ip-sysctl.html
firewalld-users@lists.fedorahosted.org