I'm currently converting some iptables rules into a format that will work with firewalld. I'm still learning firewalld and making an effort to avoid using the direct rules option where possible.
I'm trying to rate limit ICMP on an interface, I've added the following rich rule,
Code: Select all
rule family="ipv4" icmp-type name="echo-request" accept limit value="2/d"
I'm able to see the rule created when I use iptable -L -v to see counters
pkts bytes target prot opt in out source destination
1 84 ACCEPT icmp -- any any anywhere anywhere icmp echo-request limit: avg 2/day burst 5
It appears that the first packet it matched and then connection tracking is taking over and permitting it and ignoring the limit statement
the first line on the actual input chain of the filter table is
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
I know i'm not suppose to use iptables with firewalld, I'm only using it to look under the hood and debug things like this as they are both talk to the same backend and iptables is a little more natural for me.
Is there something I'm missing? Is there a way to exclude ICMP from the conntracking in firewalld or is this a job for direct rules?
Many thanks in advance