Hi Eric,
Thanks! I tried the following command:
# firewall-cmd --permanent --new-policy myOutputPolicy
# firewall-cmd --permanent --policy myOutputPolicy --add-ingress-zone HOST
# firewall-cmd --permanent --policy myOutputPolicy --add-egress-zone public
# firewall-cmd --permanent --add-rich-rule='rule family="ipv4"
destination address="4.2.2.1" reject'
# firewall-cmd --permanent --policy myOutputPolicy --add-rich-rule='rule
family="ipv4" destination address="4.2.2.1" reject'
You need to activate these rules by reloading or restarting firewalld.
but I can still send DNS query to 4.2.2.1 . Running firewall-cmd
--list-all shows:
public (active)
target: default
icmp-block-inversion: no
interfaces: wlp4s0
sources:
services: dhcpv6-client
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" destination address="4.2.2.1" reject
This rule is useless unless your own IP address is 4.2.2.1.
and running firewall-cmd --list-all-policies shows:
allow-host-ipv6 (active)
priority: -15000
target: CONTINUE
ingress-zones: ANY
egress-zones: HOST
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv6" icmp-type name="neighbour-advertisement"
accept
rule family="ipv6" icmp-type name="neighbour-solicitation"
accept
rule family="ipv6" icmp-type name="router-advertisement" accept
rule family="ipv6" icmp-type name="redirect" accept
myOutputPolicy (active)
priority: -1
target: CONTINUE
ingress-zones: HOST
egress-zones: public
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" destination address="4.2.2.1" reject
Did I do something wrong? Do I need to change the target of
myOutputPolicy? I used iptables as the backend of firewalld, and the
output of iptables -L -n is in
https://paste.opensuse.org/80095661
iptables -L -n -v would be more useful as it also shows details and number of packets for
each chain. But output looks good and it most certainly works for me with the same
commands (after activating new configuration of course).
Are you performing nslookup on the same system where firewalld is running?