Firewall configuration

Table of Contents

ping

The ICMP protocol is a support and diagnostics layer 3 protocol to TCP/IP. It provides the traceroute and ping utilities and it's essential for IPv6.

ping is an utility that work with two of the various type of messages used by ICMP, specifically type 0 {echo-reply} and type 8 {echo-request}; these are more or less analogous to the ports on the TCP and UDP protocols but on a lower layer and unlike those of TCP and UDP, these not used to transmit data payloads.

INCOMING

Although mostly harmless by itself, due ICMP's diagnostic and control nature, it can be used to discover a whole network and force traffic redirection. To limit ICMP to online checks only, the protocol must be restricted to type 8 on IPv4 and type 128, also known as "echo request" on either. Accepting echo requests on an Internet-facing system should pose no more risk than the exposure of the system itself.

According to platform, the message type may not be available for selection until the protocol ICMP is first selected on a new firewall rule.

VyOS has a handy shortcut enabled by default to allow traffic on all interface:

set firewall global-options all-ping enable

It may be disabled by setting:

set firewall global-options all-ping disable

Or by deleting the key1):

delete firewall global-options all-ping

For more granular control, a proper high priority rule can be created. Forwarding ICMP traffic across the firewall from an Internet-facing interface isn't possible without losing the ability to ping the firewall itself unless the addresses on the other side are publicly-routable as well. That is out of the scope of this document.

The traffic addressed to the system itself is handled by the input filter, e.g; 

set firewall ipv4 input filter rule 000005 action accept
set firewall ipv4 input filter rule 000005 protocol icmp
set firewall ipv4 input filter rule 000005 icmp type-name echo-request
set firewall ipv4 input filter rule 000005 inbound-interface group dif_internal
set firewall ipv6 input filter rule 000004 action accept
set firewall ipv6 input filter rule 000004 protocol icmp
set firewall ipv6 input filter rule 000004 icmpv6 type-name echo-request
set firewall ipv6 input filter rule 000004 inbound-interface group dif_internal

The commands above should cover both IPv4 and IPv6 using a previously created interface group (dif_internal), which can be later edited to expand or constrain the impact of the rule without editing the rule at all.

The ICMP type is set with one of the following (the first is already in the example above):

For IPv4 

set firewall ipv4 input filer rule 000016 icmp type-name echo-request
set firewall ipv4 input filter rule 000016 icmp code 0
set firewall ipv4 input filter rule 000016 icmp type 8

or:

For IPVv6 

set firewall ipv6 input filer rule 000015 icmp type-name echo-request
set firewall ipv6 input filter rule 000015 icmp type 128

OUTGOING

Unless a firewall has been configured in a stateless mode or other advaced configuration, there's no need to allow outbound traffic for ICMP echo replies as these would fall under related traffic and thus should be allowed automatically.

On VyOS, echo requests from a non-routable network to the Internet are configured the same way as incoming requests but on the forward filter. This would also allow forwarding traffic in if there are any publicly routable addresses inside the network. That's where inbound-interface comes in; using an interface group with only the internal interfaces, traffic can be limited to one-way only, it that should be desired.

Echo requests from the Internet to a non-routable (i.e. natted network) are only possible to the same number of internal hosts as the number of public IP addresses the firewall has, which it would have to renounce to each internal host. In other words, to ping internal hosts the traffic must be NAT-forwarded.

Invoking ping

The ping utility on VyOS is available from both Operational and Configuration modes in the system. However, these are not the same; invoking ping from Configuration mode directly runs the underlying ping utility native to Linux whereas invoking ping from Operational mode presents VyOS' own ⇥-completed menus that make the Linux ping utility's syntax easier to understand akin to that of BSD or macOS.

To invoke "VyOS' ping" or "Operational ping" without exiting configuration mode (e.g. when it's not possible when an administrator can't commit uncommitted changes) it simply can be prefixed with the run command; just as invoking every other Operational mode command from Configuration mode.

Examples of invoking ping

Linux's ping direct invocation

In Configuration mode (notice the # prompt): 

vyos@vyos# ping 9.9.9.9

Operational mode ping with VyOS' easy ⇥-completed syntax

In Operational mode (notice the $ prompt): 

vyos@vyos:~$ ping 9.9.9.9

Operational mode ping with VyOS' easy ⇥-completed syntax from Configuration mode

From Configuration mode (notice the # prompt): </WRAP terminal> vyos@vyos# run ping 9.9.9.9 

Possible completions:
  <hostname>            Send Internet Control Message Protocol (ICMP) echo request
  <x.x.x.x>
  <h:h:h:h:h:h:h:h>


[edit]
vyos@vyos# run ping 9.9.9.9

</WRAP>

Options

Note: the options available for ping appear only after typing in the address (IPvX or DNS) to send the echo requests to.

  • allow-broadcast
  • audible
  • bypass-route
  • count
  • deadline
  • do-not-fragment
  • flood
  • interface
  • interval
  • ipv4
  • ipv6
  • mark
  • no-loopback
  • numeric
  • pattern
  • quiet
  • record-route
  • size
  • source-address
  • timestamp
  • tos
  • ttl
  • verbose
  • vrf
1)
At the time of writing this is unconfirmed
en/guide/start/vyos/run/ping.txt · Last modified: 2025/09/29 18:42