Page MenuHomeVyOS Platform
Create Task
Maniphest T239

Improve documentation for the firewall all-ping setting
Closed, ResolvedPublicBUG
Actions

Description

My understanding of this setting is that it would generate rules for the firewall rule sets that allow or block pings. This doesn't seem to be the case. You still need to open up the firewall manually for the ICMP echo requests. Pinging works then. However, when you put the all-ping to disabled, ping requests stop working. So probably this is a sysctl setting. On IRC, dmbaturin suggested moving the setting perhaps to system options ip.

Details

Difficulty level
Easy (less than an hour)
Version
1.1.7
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Documentation update

Event Timeline

SimonWydooghe created this task.Jan 1 2017, 12:28 PM
syncer added a project: VyOS 1.2 Crux.Jan 1 2017, 3:25 PM
syncer added a subscriber: VyOS 1.2 Crux.
pasik added a subscriber: pasik.Oct 1 2018, 9:54 AM
dmbaturin edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux.Oct 13 2018, 10:46 AM
dmbaturin removed a subscriber: VyOS 1.2 Crux.
syncer changed the subtype of this task from "Task" to "Bug".Oct 20 2018, 4:51 AM
Unknown Object (User) claimed this task.Sep 16 2019, 1:40 AM
Unknown Object (User) added a subscriber: Unknown Object (User).

According to my findings, firewall all-pingaffects only to LOCAL. It does not affect to IN or OUT.

When firewall all-ping enable is set, VyOS will answer every ICMP echo request addressed to itself, but that will only happen if no other rule is applied droping/rejecting local echo requests. In case of conflict, VyOS will not answer ICMP echo requests.

When firewall all-ping disable is set, VyOS will answer no ICMP echo request addressed to itself at all, no matter where they come from or whether more specific rules are being applied to accept them.

So the command affects only to LOCAL and it always behaves in the most restrictive way.

zsdc added a subscriber: zsdc.Sep 16 2019, 11:29 AM

@s.lorente, could you please add details about this option to the https://github.com/vyos/vyos-documentation?

Unknown Object (User) added a comment.Sep 16 2019, 2:33 PM

Thank you Taras. Pull request sent.
https://github.com/vyos/vyos-documentation/pull/103

Unknown Object (User) added a comment.Sep 17 2019, 4:03 PM

PR merged.

Unknown Object (User) closed this task as Resolved.Sep 17 2019, 4:03 PM
Unknown Object (User) set Why the issue appeared? to Will be filled on close.
Unknown Object (User) set Is it a breaking change? to Unspecified (possibly destroys the router).
c-po moved this task from Need Triage to Finished on the VyOS 1.3 Equuleus board.Nov 12 2019, 9:19 PM
erkin set Issue type to Improvement (missing useful functionality).Sep 1 2021, 10:59 AM
dmbaturin renamed this task from firewall all-ping setting is confusing to Improve documentation for the firewall all-ping setting.Sep 10 2021, 6:00 AM
dmbaturin edited projects, added VyOS 1.3 Equuleus (1.3.0-epa1); removed VyOS 1.3 Equuleus.
dmbaturin changed Is it a breaking change? from Unspecified (possibly destroys the router) to Perfectly compatible.
dmbaturin changed Issue type from Improvement (missing useful functionality) to Infrastructure issue or change.
dmbaturin changed Issue type from Infrastructure issue or change to Documentation update.Sep 10 2021, 6:03 AM