On Mon, Dec 18, 2017 at 02:20:25PM -0800, Kenneth Porter wrote:
On 8/19/2017 3:42 AM, Kenneth Porter wrote:
Instead of a direct rule, create a zone that drops always and specify that zone's source as the ipset.
I've discovered a problem with this, and I think it's involved with firewalld's definition of "source".
On my gateway I created an ipset of address blocks that should not be allowed to connect to my gateway and added it as a source to a drop zone. (Outbound connections to those addresses should be allowed.) The firewall is now dropping all packets from internal clients to external clients in this range. Ie. packets in which the destination address, not the source address, is in the ipset!
What does firewalld mean by "source"? Doesn't it mean that the address is only checked in the source field?
It is also checking on the FORWARD chain for both input and output. But for the output it checks the destination and does a goto to the FDO_* chain. It seems unlikely that you would have a drop statement in that chain, but it's worth a look.
# firewall-cmd --add-source=10.10.1.1/24 # iptables -v -n -L |grep 10.10.1 pkts bytes target prot opt in out source destination 0 0 FWDI_public all -- * * 10.10.1.0/24 0.0.0.0/0 [goto] 0 0 FWDO_public all -- * * 0.0.0.0/0 10.10.1.0/24 [goto] 0 0 IN_public all -- * * 10.10.1.0/24 0.0.0.0/0 [goto]