On Fri, Dec 24, 2021 at 04:28:23AM -0600, Snow Summer wrote:
Hello,
I am trying to block all kinds (TCP/UDP/ICMP and so on) of network traffic
from/to a specific IP address, and I have used the IP 4.2.2.1 as a
test. My firewall-cmd
--list-all shows:
root@summersnow # firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: wlp4s0
sources:
services: dhcpv6-client
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" destination address="4.2.2.1" drop
rule family="ipv4" source address="4.2.2.1" drop
rule family="ipv4" source address="4.2.2.1" reject
rule family="ipv4" destination address="4.2.2.1" reject
However, I can confirm that I can still receive DNS responses from it by:
root@summersnow # nslookup
twitter.com 4.2.2.1
Server: 4.2.2.1
Address: 4.2.2.1#53
Non-authoritative answer:
Name:
twitter.com
Address: 104.244.42.65
Name:
twitter.com
Address: 104.244.42.129
The rich rules above seem not working properly. Any ideas?
Hi! It looks like you're trying to do outbound/OUTPUT filtering. Zones
filter traffic received from the zone and destined to the host
(inbound/INPUT).
firewalld supports outbound filtering via policies.
You can learn about them here:
-
https://firewalld.org/2020/09/policy-objects-introduction
-
https://firewalld.org/2020/09/policy-objects-filtering-container-and-vm-t...
SOLUTION:
For your use case you probably want something like the following:
# firewall-cmd --permanent --new-policy myOutputPolicy
# firewall-cmd --permanent --policy myOutputPolicy --add-ingress-zone HOST
# firewall-cmd --permanent --policy myOutputPolicy --add-egress-zone public
# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" destination
address="4.2.2.1" reject'
This will apply your rich rule to traffic originating from the node
running firewalld and destined to the public zone.
Notice I omitted these two rules:
rule family="ipv4" source address="4.2.2.1" drop
rule family="ipv4" source address="4.2.2.1" reject
That's because your public zone will filter these out by default. There
is no need to explicitly reject them.
I also omitted:
rule family="ipv4" destination address="4.2.2.1"
drop
because it's already covered by the similar "reject" rule. You should
prefer "reject" over "drop" so an ICMP packet is returned and the
connection attempt fails gracefully (and quickly).