Hi Eric,

Thank you so much! The commands work after rebooting. However, I still cannot figure out why simply using:

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="4.2.2.1" reject'

would not block all incoming DNS responses from 4.2.2.1. I think that by either filtering the incoming packets by IP of source, or outgoing packets by the IP of destination (using the outbound filtering you have mentioned), my computer cannot query 4.2.2.1 for DNS responses. Is that right?

Thanks again for your help


On Mon, Jan 3, 2022 at 7:56 AM Eric Garver <egarver@redhat.com> wrote:
I don't see anything wrong. The generated iptables rules look correct.
But I couldn't verify the interfaces/counters because -v wasn't used.

Can you use the -v option to iptables to show counters?

  # iptables -v -n -L filter
  # iptables -v -n -L nat
  # iptables -v -n -L mangle
  # iptables -v -n -L raw

On Tue, Dec 28, 2021 at 01:44:20PM -0600, summersnow wrote:
> Hi Eric,
>
> Thanks! I tried the following command:
>
> # firewall-cmd --permanent --new-policy myOutputPolicy
> # firewall-cmd --permanent --policy myOutputPolicy --add-ingress-zone HOST
> # firewall-cmd --permanent --policy myOutputPolicy --add-egress-zone public
> # firewall-cmd --permanent --add-rich-rule='rule family="ipv4" destination
> address="4.2.2.1" reject'
> # firewall-cmd --permanent --policy myOutputPolicy --add-rich-rule='rule
> family="ipv4" destination address="4.2.2.1" reject'
>
> but I can still send DNS query to 4.2.2.1 . Running firewall-cmd --list-all
> shows:
>
> public (active)
>   target: default
>   icmp-block-inversion: no
>   interfaces: wlp4s0
>   sources:
>   services: dhcpv6-client
>   ports:
>   protocols:
>   forward: yes
>   masquerade: no
>   forward-ports:
>   source-ports:
>   icmp-blocks:
>   rich rules:
>     rule family="ipv4" destination address="4.2.2.1" reject
>
> and running firewall-cmd --list-all-policies shows:
>
> allow-host-ipv6 (active)
>   priority: -15000
>   target: CONTINUE
>   ingress-zones: ANY
>   egress-zones: HOST
>   services:
>   ports:
>   protocols:
>   masquerade: no
>   forward-ports:
>   source-ports:
>   icmp-blocks:
>   rich rules:
>     rule family="ipv6" icmp-type name="neighbour-advertisement" accept
>     rule family="ipv6" icmp-type name="neighbour-solicitation" accept
>     rule family="ipv6" icmp-type name="router-advertisement" accept
>     rule family="ipv6" icmp-type name="redirect" accept
>
> myOutputPolicy (active)
>   priority: -1
>   target: CONTINUE
>   ingress-zones: HOST
>   egress-zones: public
>   services:
>   ports:
>   protocols:
>   masquerade: no
>   forward-ports:
>   source-ports:
>   icmp-blocks:
>   rich rules:
>     rule family="ipv4" destination address="4.2.2.1" reject
>
> Did I do something wrong? Do I need to change the target of myOutputPolicy?
> I used iptables as the backend of firewalld, and the output of iptables -L
> -n is in https://paste.opensuse.org/80095661
>
> Thanks
>
>
> On 12/28/21 12:49, Eric Garver wrote:
> > On Fri, Dec 24, 2021 at 04:28:23AM -0600, Snow Summer wrote:
> > > Hello,
> > >
> > > I am trying to block all kinds (TCP/UDP/ICMP and so on) of network traffic
> > > from/to a specific IP address, and I have used the IP 4.2.2.1 as a
> > > test. My firewall-cmd
> > > --list-all shows:
> > >
> > > root@summersnow # firewall-cmd --list-all
> > > public (active)
> > >    target: default
> > >    icmp-block-inversion: no
> > >    interfaces: wlp4s0
> > >    sources:
> > >    services: dhcpv6-client
> > >    ports:
> > >    protocols:
> > >    forward: yes
> > >    masquerade: no
> > >    forward-ports:
> > >    source-ports:
> > >    icmp-blocks:
> > >    rich rules:
> > > rule family="ipv4" destination address="4.2.2.1" drop
> > > rule family="ipv4" source address="4.2.2.1" drop
> > > rule family="ipv4" source address="4.2.2.1" reject
> > > rule family="ipv4" destination address="4.2.2.1" reject
> > >
> > > However, I can confirm that I can still receive DNS responses from it by:
> > >
> > > root@summersnow # nslookup twitter.com 4.2.2.1
> > > Server:           4.2.2.1
> > > Address:  4.2.2.1#53
> > >
> > > Non-authoritative answer:
> > > Name:     twitter.com
> > > Address: 104.244.42.65
> > > Name:     twitter.com
> > > Address: 104.244.42.129
> > >
> > > The rich rules above seem not working properly. Any ideas?
> > Hi! It looks like you're trying to do outbound/OUTPUT filtering. Zones
> > filter traffic received from the zone and destined to the host
> > (inbound/INPUT).
> >
> > firewalld supports outbound filtering via policies.
> >
> > You can learn about them here:
> >    - https://firewalld.org/2020/09/policy-objects-introduction
> >    - https://firewalld.org/2020/09/policy-objects-filtering-container-and-vm-traffic
> >
> >
> > SOLUTION:
> >
> > For your use case you probably want something like the following:
> >
> >    # firewall-cmd --permanent --new-policy myOutputPolicy
> >    # firewall-cmd --permanent --policy myOutputPolicy --add-ingress-zone HOST
> >    # firewall-cmd --permanent --policy myOutputPolicy --add-egress-zone public
> >    # firewall-cmd --permanent --add-rich-rule='rule family="ipv4" destination address="4.2.2.1" reject'
> >
> > This will apply your rich rule to traffic originating from the node
> > running firewalld and destined to the public zone.
> >
> >
> > Notice I omitted these two rules:
> >
> > > rule family="ipv4" source address="4.2.2.1" drop
> > > rule family="ipv4" source address="4.2.2.1" reject
> > That's because your public zone will filter these out by default. There
> > is no need to explicitly reject them.
> >
> > I also omitted:
> >
> > > rule family="ipv4" destination address="4.2.2.1" drop
> > because it's already covered by the similar "reject" rule. You should
> > prefer "reject" over "drop" so an ICMP packet is returned and the
> > connection attempt fails gracefully (and quickly).
> >
>