On Tue, Jan 4, 2022 at 1:32 AM Sean Zimmermann <sz2243(a)gmail.com> wrote:
Hi Eric and Andrei,
Thank you for the info and the examples. Just one quick follow up question - can I define
a zone based on outbound IP addresses?
No. Zone is for filtering incoming traffic.
In my case, the computer hosting the VMs is connected to the LAN but
doesn't have a direct connection to the wider internet (it's behind a router). I
was enforcing the 'no LAN traffic' in nftables blocking any forwarded traffic from
the VM to 192.168.0.0/16.
So, if I wanted to define an egress zone using policies, I assume I'd need to make a
zone out of the LAN IP range, correct? I know I can make inbound zones based on IP range
sources, but can I make one for outbound traffic too (saying that traffic bound for
192.168.0.0/16 is the 'lan' zone and traffic bound for elsewhere is not?)
Policies support rich rules, so you can define policy with the most
common default target (e.g. ACCEPT or REJECT) and use rich rules to
restrict/allow traffic to specific destination(s).