Firewalld Rate Limit ICMP

Support for security such as Firewalls and securing linux
Post Reply
markmcn
Posts: 5
Joined: 2016/01/02 23:44:51

Firewalld Rate Limit ICMP

Post by markmcn » 2018/06/15 22:42:51

Hi All,
I'm currently converting some iptables rules into a format that will work with firewalld. I'm still learning firewalld and making an effort to avoid using the direct rules option where possible.
I'm trying to rate limit ICMP on an interface, I've added the following rich rule,

Code: Select all

rule family="ipv4" icmp-type name="echo-request" accept limit value="2/d"
I appreciate 2/d is extreme but it's to allow me test if the rule is working (Which it is not) :(
I'm able to see the rule created when I use iptable -L -v to see counters

pkts bytes target prot opt in out source destination
1 84 ACCEPT icmp -- any any anywhere anywhere icmp echo-request limit: avg 2/day burst 5
It appears that the first packet it matched and then connection tracking is taking over and permitting it and ignoring the limit statement
the first line on the actual input chain of the filter table is

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED

I know i'm not suppose to use iptables with firewalld, I'm only using it to look under the hood and debug things like this as they are both talk to the same backend and iptables is a little more natural for me.
Is there something I'm missing? Is there a way to exclude ICMP from the conntracking in firewalld or is this a job for direct rules?
Many thanks in advance
Mark

hunter86_bg
Posts: 2019
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Firewalld Rate Limit ICMP

Post by hunter86_bg » 2018/06/18 04:22:41

You can't get rid of the 'burst 5' , so in your setup maximum 7 packets will be allowed for this day.
I don't thing that conntracking 'kicks in' , but the burst rule.
Also, ICMP is connectionless protocol, so you can't exclude it from conntrack.
Try to ping your firewalld-based machine and you will notice that the count will be less than 10.

markmcn
Posts: 5
Joined: 2016/01/02 23:44:51

Re: Firewalld Rate Limit ICMP

Post by markmcn » 2018/06/18 23:27:32

Thanks hunter86_bg for the suggestion but I've in testing I've been using an interval of 0.1Seconds between the requests and leaving it running for ~10 Minutes to ensure that it should trip it,
I fully understand that ICMP is connectionless, However you will find it is still tracked in the connection table and this makes sense as if you were to deny ICMP inbound but permit it outbound then if nwfilter didn't track it's state you wouldn't see the replies.
You can also confirm this by examining the conntracking table of the host while pinging it.

Code: Select all

conntrack -L -p 1

I'll keep testing on this end and exclude ICMP from the connection tracking as a test.
Open to more input from the community please & thank you

Post Reply