Rich rules of blocking traffic to a specific IP seem not to work
by Snow Summer
Hello,
I am trying to block all kinds (TCP/UDP/ICMP and so on) of network traffic
from/to a specific IP address, and I have used the IP 4.2.2.1 as a
test. My firewall-cmd
--list-all shows:
root@summersnow # firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: wlp4s0
sources:
services: dhcpv6-client
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" destination address="4.2.2.1" drop
rule family="ipv4" source address="4.2.2.1" drop
rule family="ipv4" source address="4.2.2.1" reject
rule family="ipv4" destination address="4.2.2.1" reject
However, I can confirm that I can still receive DNS responses from it by:
root@summersnow # nslookup twitter.com 4.2.2.1
Server: 4.2.2.1
Address: 4.2.2.1#53
Non-authoritative answer:
Name: twitter.com
Address: 104.244.42.65
Name: twitter.com
Address: 104.244.42.129
The rich rules above seem not working properly. Any ideas?
Thanks,
HanatoK
2 years, 2 months
Setting Deny Forward Rules with Firewalld
by Sean Zimmermann
Hi everyone,
I'm trying to setup a firewall so one of my VMs is barred from accessing the LAN (if saddr = VM Address and daddr = 192.168.0.0/16, deny input and forward). I was able to do this in nftables here:
table inet ext_only {
chain input {
type filter hook input priority filter - 10; policy accept;
ct state new ip saddr 192.168.100.100 drop
}
chain forward {
type filter hook forward priority filter - 10; policy accept;
ct state new ip saddr 192.168.100.100 ip daddr 192.168.0.0/16 drop
}
}
However, I've been having trouble trying to figure out the correct way to do this for firewalld. I know I can move the VM IP to its own zone, and I can then block input, but I couldn't figure out how to write a forward deny rule.
What is the recommended way to handle dropping forwarded packets?
Thank you for any help with this.
Regards,
Sean
2 years, 2 months
firewalld: removing rich-rules based on its own list fails
by patrickl@fedoraproject.org
Hi,
I asked this earlier on the CentOS ML and got the pointer to ask here.
Firewalld-0.9.3-7 on EL8.5
I have some ansible roles which each create some firewalld rich-rules.
For ansible idempotency I tried to remove any dns related rich-rules
before creating new ones in the dns playbook. After some searching I
came up with this:
#!/bin/bash
OLDIFS=$IFS
IFS=''
while read -r line; do firewall-cmd --zone=public --permanent
--remove-rich-rule=\'$line\'; done <<< $(firewall-cmd --zone=public
--list-rich-rules | egrep 'dns|53')
IFS=$OLDIFS
But this fails with for example:
Error: INVALID_RULE: internal error in _lexer(): rule family="ipv4"
source NOT address="46.23.XX.0/24" forward-port port="53" protocol="udp"
to-port="60053" to-addr="46.23.XX.53"
Using the line from the error prepended with firewall-cmd --zone=public
--permanent --remove-rich-rule= works fine. My googling & variations
came up empty. Anyone know why this is failing and could possibly share
how to make this work?
Thanks!
Best,
Patrick
2 years, 3 months
How do I get a specific text in the firewall log for specified tcp
ports in zone public?
by Freek de Kruijf
Using firewalld version 1.0.1, using rsyslog to collect firewall log messages with standard definition for /var/log/filewall.
I have eth0 in zone public.
In zone internal I have a number of addresses, mainly local, as sources, a port, and a few services, to allow access to this port and the services from the sources.
In zone public I have a few ports to allow access to with o.a.: "firewall-cmd --add-port=8000/tcp --zone=public --permanent".
A number of port forwards of other ports to these ports with o.a.: "firewall-cmd --add-forward-port=port=5555:proto=tcp:toport=8000 --permanent".
And for all other ports a number of the following rich rules o.a.:
firewall-cmd --add-rich-rule='rule port port=5556-7546 protocol=tcp log prefix="SPECIFICTEXT " reject' --zone=public --permanent
where ports like 5556 and 7546 are port numbers which cover all other ports from 1 to 65535.
When I start tcpdump on eth0 and a specific port in the ones in the rich rules, and connect from an ip address not in the source in internal, I do see packets coming in. However I don't see any message coming in in the firewall log.
How do I get these messages in that log?
When I have the same rich rule in zone internal for a specific range of ports and I connect to such a port from a source in zone internal I do get a log entry in /var/log/firewall.
2 years, 3 months
RE: Welcome to the "firewalld-users" mailing list
by Roman Khan Bangash
Best Regards.
Roman Khan Bangash
Infrastructure Team | Technology Directorate | NADRA HQs
-----Original Message-----
From: firewalld-users-request(a)lists.fedorahosted.org [mailto:firewalld-users-request@lists.fedorahosted.org]
Sent: Friday, December 10, 2021 5:03 AM
To: Roman Khan Bangash <roman.khan(a)nadra.gov.pk>
Subject: Welcome to the "firewalld-users" mailing list
Welcome to the "firewalld-users" mailing list!
To post to this list, send your email to:
firewalld-users(a)lists.fedorahosted.org
You can make such adjustments via email by sending a message to:
firewalld-users-request(a)lists.fedorahosted.org
with the word 'help' in the subject or body (don't include the quotes), and you will get back a message with instructions. You will need your password to change your options, but for security purposes, this email is not included here. If you have forgotten your password you will need to click on the 'Forgot Password?' link on the login page.
2 years, 3 months