I have two VMs, both with firewalld installed. One on machine It this in the IN_public chain:
Chain IN_public (2 references)
pkts bytes target prot opt in out source destination
81 3423 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
81 3423 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
81 3423 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
79 3335 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited
On the other I see:
Chain IN_public (2 references)
pkts bytes target prot opt in out source destination
101 4232 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0
101 4232 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0
101 4232 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0
1 84 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0
As might be expected, pinging the first VM fails. That is the ping is rejected with:
[emmett at ws1 ~]$ ping 96.92.106.4
PING 96.92.106.4 (96.92.106.4) 56(84) bytes of data.
>From 96.92.106.4 icmp_seq=1 Destination Host Prohibited
>From 96.92.106.4 icmp_seq=2 Destination Host Prohibited
And pinging the second works as expected.
I've searche the firewalld configuration files in /usr/lib/firewalld and /etc/firewalld and can find no reference to any icmp rule. The two machines were cloned originally from the same VM. Why are they different?
How can I remove the reject-with icmp rule using firewalld. I can remove it using "iptables -D [IN_public | FWDO_public | FWDI_public ] 4" and I can then ping that machine. But of course the rule is returned whenever firewalld is restarted.
Emmett