Hi all,
After restarting my computer the rich rule works! I may missed something
but I remember I did run firewall-cmd --reload to reload the firewall.
Perhaps I need to restart the firewalld service instead.
Thanks
On 1/3/22 08:21, Andrei Borzenkov wrote:
>> Hi Eric,
>>
>> Thanks! I tried the following command:
>>
>> # firewall-cmd --permanent --new-policy myOutputPolicy
>> # firewall-cmd --permanent --policy myOutputPolicy --add-ingress-zone HOST
>> # firewall-cmd --permanent --policy myOutputPolicy --add-egress-zone public
>> # firewall-cmd --permanent --add-rich-rule='rule family="ipv4"
>> destination address="4.2.2.1" reject'
>> # firewall-cmd --permanent --policy myOutputPolicy --add-rich-rule='rule
>> family="ipv4" destination address="4.2.2.1" reject'
>>
> You need to activate these rules by reloading or restarting firewalld.
>
>> but I can still send DNS query to 4.2.2.1 . Running firewall-cmd
>> --list-all shows:
>>
>> public (active)
>> target: default
>> icmp-block-inversion: no
>> interfaces: wlp4s0
>> sources:
>> services: dhcpv6-client
>> ports:
>> protocols:
>> forward: yes
>> masquerade: no
>> forward-ports:
>> source-ports:
>> icmp-blocks:
>> rich rules:
>> rule family="ipv4" destination address="4.2.2.1"
reject
>>
> This rule is useless unless your own IP address is 4.2.2.1.
>
>> and running firewall-cmd --list-all-policies shows:
>>
>> allow-host-ipv6 (active)
>> priority: -15000
>> target: CONTINUE
>> ingress-zones: ANY
>> egress-zones: HOST
>> services:
>> ports:
>> protocols:
>> masquerade: no
>> forward-ports:
>> source-ports:
>> icmp-blocks:
>> rich rules:
>> rule family="ipv6" icmp-type
name="neighbour-advertisement"
>> accept
>> rule family="ipv6" icmp-type
name="neighbour-solicitation"
>> accept
>> rule family="ipv6" icmp-type
name="router-advertisement" accept
>> rule family="ipv6" icmp-type name="redirect" accept
>>
>> myOutputPolicy (active)
>> priority: -1
>> target: CONTINUE
>> ingress-zones: HOST
>> egress-zones: public
>> services:
>> ports:
>> protocols:
>> masquerade: no
>> forward-ports:
>> source-ports:
>> icmp-blocks:
>> rich rules:
>> rule family="ipv4" destination address="4.2.2.1"
reject
>>
>> Did I do something wrong? Do I need to change the target of
>> myOutputPolicy? I used iptables as the backend of firewalld, and the
>> output of iptables -L -n is in
https://paste.opensuse.org/80095661
>>
> iptables -L -n -v would be more useful as it also shows details and number of packets
for each chain. But output looks good and it most certainly works for me with the same
commands (after activating new configuration of course).
>
> Are you performing nslookup on the same system where firewalld is running?
> _______________________________________________
> firewalld-users mailing list -- firewalld-users(a)lists.fedorahosted.org
> To unsubscribe send an email to firewalld-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedora...
> Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure