My understanding of this setting is that it would generate rules for the firewall rule sets that allow or block pings. This doesn't seem to be the case. You still need to open up the firewall manually for the ICMP echo requests. Pinging works then. However, when you put the all-ping to disabled, ping requests stop working. So probably this is a sysctl setting. On IRC, dmbaturin suggested moving the setting perhaps to system options ip.
Description
Details
- Difficulty level
- Easy (less than an hour)
- Version
- 1.1.7
- Why the issue appeared?
- Will be filled on close
- Is it a breaking change?
- Perfectly compatible
- Issue type
- Documentation update
Event Timeline
According to my findings, firewall all-pingaffects only to LOCAL. It does not affect to IN or OUT.
When firewall all-ping enable is set, VyOS will answer every ICMP echo request addressed to itself, but that will only happen if no other rule is applied droping/rejecting local echo requests. In case of conflict, VyOS will not answer ICMP echo requests.
When firewall all-ping disable is set, VyOS will answer no ICMP echo request addressed to itself at all, no matter where they come from or whether more specific rules are being applied to accept them.
So the command affects only to LOCAL and it always behaves in the most restrictive way.
@s.lorente, could you please add details about this option to the https://github.com/vyos/vyos-documentation?
Thank you Taras. Pull request sent.
https://github.com/vyos/vyos-documentation/pull/103