Hi Eric,
Thanks! I tried the following command:
# firewall-cmd --permanent --new-policy myOutputPolicy
# firewall-cmd --permanent --policy myOutputPolicy --add-ingress-zone HOST
# firewall-cmd --permanent --policy myOutputPolicy --add-egress-zone public
# firewall-cmd --permanent --add-rich-rule='rule family="ipv4"
destination address="4.2.2.1" reject'
# firewall-cmd --permanent --policy myOutputPolicy --add-rich-rule='rule
family="ipv4" destination address="4.2.2.1" reject'
but I can still send DNS query to 4.2.2.1 . Running firewall-cmd
--list-all shows:
public (active)
target: default
icmp-block-inversion: no
interfaces: wlp4s0
sources:
services: dhcpv6-client
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" destination address="4.2.2.1" reject
and running firewall-cmd --list-all-policies shows:
allow-host-ipv6 (active)
priority: -15000
target: CONTINUE
ingress-zones: ANY
egress-zones: HOST
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv6" icmp-type name="neighbour-advertisement"
accept
rule family="ipv6" icmp-type name="neighbour-solicitation"
accept
rule family="ipv6" icmp-type name="router-advertisement" accept
rule family="ipv6" icmp-type name="redirect" accept
myOutputPolicy (active)
priority: -1
target: CONTINUE
ingress-zones: HOST
egress-zones: public
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" destination address="4.2.2.1" reject
Did I do something wrong? Do I need to change the target of
myOutputPolicy? I used iptables as the backend of firewalld, and the
output of iptables -L -n is in
https://paste.opensuse.org/80095661
Thanks
On 12/28/21 12:49, Eric Garver wrote:
> On Fri, Dec 24, 2021 at 04:28:23AM -0600, Snow Summer wrote:
>> Hello,
>>
>> I am trying to block all kinds (TCP/UDP/ICMP and so on) of network traffic
>> from/to a specific IP address, and I have used the IP 4.2.2.1 as a
>> test. My firewall-cmd
>> --list-all shows:
>>
>> root@summersnow # firewall-cmd --list-all
>> public (active)
>> target: default
>> icmp-block-inversion: no
>> interfaces: wlp4s0
>> sources:
>> services: dhcpv6-client
>> ports:
>> protocols:
>> forward: yes
>> masquerade: no
>> forward-ports:
>> source-ports:
>> icmp-blocks:
>> rich rules:
>> rule family="ipv4" destination address="4.2.2.1" drop
>> rule family="ipv4" source address="4.2.2.1" drop
>> rule family="ipv4" source address="4.2.2.1" reject
>> rule family="ipv4" destination address="4.2.2.1" reject
>>
>> However, I can confirm that I can still receive DNS responses from it by:
>>
>> root@summersnow # nslookup
twitter.com 4.2.2.1
>> Server: 4.2.2.1
>> Address: 4.2.2.1#53
>>
>> Non-authoritative answer:
>> Name:
twitter.com
>> Address: 104.244.42.65
>> Name:
twitter.com
>> Address: 104.244.42.129
>>
>> The rich rules above seem not working properly. Any ideas?
> Hi! It looks like you're trying to do outbound/OUTPUT filtering. Zones
> filter traffic received from the zone and destined to the host
> (inbound/INPUT).
>
> firewalld supports outbound filtering via policies.
>
> You can learn about them here:
> -
https://firewalld.org/2020/09/policy-objects-introduction
> -
https://firewalld.org/2020/09/policy-objects-filtering-container-and-vm-t...
>
>
> SOLUTION:
>
> For your use case you probably want something like the following:
>
> # firewall-cmd --permanent --new-policy myOutputPolicy
> # firewall-cmd --permanent --policy myOutputPolicy --add-ingress-zone HOST
> # firewall-cmd --permanent --policy myOutputPolicy --add-egress-zone public
> # firewall-cmd --permanent --add-rich-rule='rule family="ipv4"
destination address="4.2.2.1" reject'
>
> This will apply your rich rule to traffic originating from the node
> running firewalld and destined to the public zone.
>
>
> Notice I omitted these two rules:
>
>> rule family="ipv4" source address="4.2.2.1" drop
>> rule family="ipv4" source address="4.2.2.1" reject
> That's because your public zone will filter these out by default. There
> is no need to explicitly reject them.
>
> I also omitted:
>
>> rule family="ipv4" destination address="4.2.2.1" drop
> because it's already covered by the similar "reject" rule. You should
> prefer "reject" over "drop" so an ICMP packet is returned and
the
> connection attempt fails gracefully (and quickly).
>