Getting firewalld to allow ping requests

Question

On CentOS 7, I have installed and setup firewalld as follows:

Add ssh service to drop zone permanently (sudo firewall-cmd --zone=drop --permanent --add-service=ssh)
Make drop zone the default zone so that all non ssh requests are dropped (sudo firewall-cmd --set-default-zone=drop)

I have taken the above approach as I want to drop all incoming requests apart from those that I have configured (ssh, http, etc). However, I find that I can no longer ping the CentOS server and I believe this is because of the default zone being drop.

My question is quite simple. Can anybody shed some light as to how I can edit the configuration of the drop zone so that it allows me to ping the server from outside?

Many thanks. I am a novice with firewalls, networking, etc, but I am hoping this will be an easy question for someone to answer :)

score 12 · Answer 1 · edited Apr 01 '21 at 11:53

I realize that this has been out there for a while, but I found it and others might as well, so I'm going to add what I think is a little cleaner answer. Red Hat has a good article about this: managing icmp requests

I'll hit the basic commands here to use after you switch the target to DROP:

firewall-cmd --permanent --add-icmp-block-inversion
firewall-cmd --permanent --add-icmp-block=echo-reply
firewall-cmd --permanent --add-icmp-block=echo-request
firewall-cmd --reload

The first command changes the meaning of icmp-block to icmp-allow. After that you just list types of icmp that you want to allow. You can get a list of all types with:

firewall-cmd --get-icmptypes

There are a few of other things you probably want to allow (especially for IPv6).

For traceroute:

firewall-cmd --permanent --add-icmp-block=time-exceeded
firewall-cmd --permanent --add-icmp-block=port-unreachable

For mtu discovery:

firewall-cmd --permanent --add-icmp-block=fragmentation-needed
firewall-cmd --permanent --add-icmp-block=packet-too-big

For dynamic IPv6 environments:

firewall-cmd --permanent --add-icmp-block=neighbour-solicitation
firewall-cmd --permanent --add-icmp-block=neighbour-advertisement
firewall-cmd --permanent --add-icmp-block=router-advertisement
firewall-cmd --permanent --add-icmp-block=router-solicitation

score 6 · Answer 2 · edited Aug 16 '16 at 13:52

6

Add the following "iptables" rule to firewalld

firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p icmp -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
sudo systemctl restart firewalld.service

edited Aug 16 '16 at 13:52

user

30,336

answered Aug 16 '16 at 13:47

user1638152

321

score 0 · Answer 3 · answered Jun 11 '25 at 21:32

0

My solution:

firewall-cmd --permanent --new-service=icmp
firewall-cmd --permanent --service=icmp --add-protocol=icmp
firewall-cmd --permanent --zone=public --add-service=icmp
firewall-cmd --reload

answered Jun 11 '25 at 21:32

iTrooz

11
1

score -3 · Answer 4 · answered Aug 18 '16 at 13:46

I'm using iptables mostly but install and configure CSF for my clients.

If you have to use console then why don't use iptables as standart firewall tool? And if you feel yourself not comfortable enough then use CSF. It's good!

iptables -I INPUT 1 -p icmp -j ACCEPT

Easy as it can be! Take a look here for few examples about iptables too, it may help.

Getting firewalld to allow ping requests

4 Answers4