Hi Eric,
Thank you so much! The commands work after rebooting. However, I still
cannot figure out why simply using:
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source
address="4.2.2.1" reject'
would not block all incoming DNS responses from 4.2.2.1. I think that by
either filtering the incoming packets by IP of source, or outgoing packets
by the IP of destination (using the outbound filtering you have mentioned),
my computer cannot query 4.2.2.1 for DNS responses. Is that right?
Thanks again for your help
On Mon, Jan 3, 2022 at 7:56 AM Eric Garver <egarver(a)redhat.com> wrote:
I don't see anything wrong. The generated iptables rules look
correct.
But I couldn't verify the interfaces/counters because -v wasn't used.
Can you use the -v option to iptables to show counters?
# iptables -v -n -L filter
# iptables -v -n -L nat
# iptables -v -n -L mangle
# iptables -v -n -L raw
On Tue, Dec 28, 2021 at 01:44:20PM -0600, summersnow wrote:
> Hi Eric,
>
> Thanks! I tried the following command:
>
> # firewall-cmd --permanent --new-policy myOutputPolicy
> # firewall-cmd --permanent --policy myOutputPolicy --add-ingress-zone
HOST
> # firewall-cmd --permanent --policy myOutputPolicy --add-egress-zone
public
> # firewall-cmd --permanent --add-rich-rule='rule family="ipv4"
destination
> address="4.2.2.1" reject'
> # firewall-cmd --permanent --policy myOutputPolicy --add-rich-rule='rule
> family="ipv4" destination address="4.2.2.1" reject'
>
> but I can still send DNS query to 4.2.2.1 . Running firewall-cmd
--list-all
> shows:
>
> public (active)
> target: default
> icmp-block-inversion: no
> interfaces: wlp4s0
> sources:
> services: dhcpv6-client
> ports:
> protocols:
> forward: yes
> masquerade: no
> forward-ports:
> source-ports:
> icmp-blocks:
> rich rules:
> rule family="ipv4" destination address="4.2.2.1" reject
>
> and running firewall-cmd --list-all-policies shows:
>
> allow-host-ipv6 (active)
> priority: -15000
> target: CONTINUE
> ingress-zones: ANY
> egress-zones: HOST
> services:
> ports:
> protocols:
> masquerade: no
> forward-ports:
> source-ports:
> icmp-blocks:
> rich rules:
> rule family="ipv6" icmp-type name="neighbour-advertisement"
accept
> rule family="ipv6" icmp-type name="neighbour-solicitation"
accept
> rule family="ipv6" icmp-type name="router-advertisement"
accept
> rule family="ipv6" icmp-type name="redirect" accept
>
> myOutputPolicy (active)
> priority: -1
> target: CONTINUE
> ingress-zones: HOST
> egress-zones: public
> services:
> ports:
> protocols:
> masquerade: no
> forward-ports:
> source-ports:
> icmp-blocks:
> rich rules:
> rule family="ipv4" destination address="4.2.2.1" reject
>
> Did I do something wrong? Do I need to change the target of
myOutputPolicy?
> I used iptables as the backend of firewalld, and the output of iptables
-L
> -n is in
https://paste.opensuse.org/80095661
>
> Thanks
>
>
> On 12/28/21 12:49, Eric Garver wrote:
> > On Fri, Dec 24, 2021 at 04:28:23AM -0600, Snow Summer wrote:
> > > Hello,
> > >
> > > I am trying to block all kinds (TCP/UDP/ICMP and so on) of network
traffic
> > > from/to a specific IP address, and I have used the IP 4.2.2.1 as a
> > > test. My firewall-cmd
> > > --list-all shows:
> > >
> > > root@summersnow # firewall-cmd --list-all
> > > public (active)
> > > target: default
> > > icmp-block-inversion: no
> > > interfaces: wlp4s0
> > > sources:
> > > services: dhcpv6-client
> > > ports:
> > > protocols:
> > > forward: yes
> > > masquerade: no
> > > forward-ports:
> > > source-ports:
> > > icmp-blocks:
> > > rich rules:
> > > rule family="ipv4" destination address="4.2.2.1" drop
> > > rule family="ipv4" source address="4.2.2.1" drop
> > > rule family="ipv4" source address="4.2.2.1" reject
> > > rule family="ipv4" destination address="4.2.2.1"
reject
> > >
> > > However, I can confirm that I can still receive DNS responses from
it by:
> > >
> > > root@summersnow # nslookup
twitter.com 4.2.2.1
> > > Server: 4.2.2.1
> > > Address: 4.2.2.1#53
> > >
> > > Non-authoritative answer:
> > > Name:
twitter.com
> > > Address: 104.244.42.65
> > > Name:
twitter.com
> > > Address: 104.244.42.129
> > >
> > > The rich rules above seem not working properly. Any ideas?
> > Hi! It looks like you're trying to do outbound/OUTPUT filtering. Zones
> > filter traffic received from the zone and destined to the host
> > (inbound/INPUT).
> >
> > firewalld supports outbound filtering via policies.
> >
> > You can learn about them here:
> > -
https://firewalld.org/2020/09/policy-objects-introduction
> > -
https://firewalld.org/2020/09/policy-objects-filtering-container-and-vm-t...
> >
> >
> > SOLUTION:
> >
> > For your use case you probably want something like the following:
> >
> > # firewall-cmd --permanent --new-policy myOutputPolicy
> > # firewall-cmd --permanent --policy myOutputPolicy
--add-ingress-zone HOST
> > # firewall-cmd --permanent --policy myOutputPolicy
--add-egress-zone public
> > # firewall-cmd --permanent --add-rich-rule='rule
family="ipv4"
destination address="4.2.2.1" reject'
> >
> > This will apply your rich rule to traffic originating from the node
> > running firewalld and destined to the public zone.
> >
> >
> > Notice I omitted these two rules:
> >
> > > rule family="ipv4" source address="4.2.2.1" drop
> > > rule family="ipv4" source address="4.2.2.1" reject
> > That's because your public zone will filter these out by default. There
> > is no need to explicitly reject them.
> >
> > I also omitted:
> >
> > > rule family="ipv4" destination address="4.2.2.1" drop
> > because it's already covered by the similar "reject" rule. You
should
> > prefer "reject" over "drop" so an ICMP packet is returned
and the
> > connection attempt fails gracefully (and quickly).
> >
>