8:49 p.m.
Hi everyone,
I'm trying to setup a firewall so one of my VMs is barred from accessing the LAN (if
saddr = VM Address and daddr = 192.168.0.0/16, deny input and forward). I was able to do
this in nftables here:
table inet ext_only {
chain input {
type filter hook input priority filter - 10; policy accept;
ct state new ip saddr 192.168.100.100 drop
}
chain forward {
type filter hook forward priority filter - 10; policy accept;
ct state new ip saddr 192.168.100.100 ip daddr 192.168.0.0/16 drop
}
}
However, I've been having trouble trying to figure out the correct way to do this for
firewalld. I know I can move the VM IP to its own zone, and I can then block input, but I
couldn't figure out how to write a forward deny rule.
What is the recommended way to handle dropping forwarded packets?
Thank you for any help with this.
Regards,
Sean
7:41 a.m.
What is the recommended way to handle dropping forwarded packets?
Firewalld is using policies to control forwarding between zones. See man firewalld.policy
as well as https://firewalld.org/2020/09/policy-objects-introduction for introduction and
https://firewalld.org/2020/09/policy-objects-filtering-container-and-vm-t... for
applying policies to filter VM traffic (it is just one example, not exhaustive
description).
9:49 a.m.
On Fri, Dec 31, 2021 at 02:49:09AM -0000, Sean Zimmermann wrote:
Hi everyone,
I'm trying to setup a firewall so one of my VMs is barred from accessing the LAN (if
saddr = VM Address and daddr = 192.168.0.0/16, deny input and forward). I was able to do
this in nftables here:
table inet ext_only {
chain input {
type filter hook input priority filter - 10; policy accept;
ct state new ip saddr 192.168.100.100 drop
}
chain forward {
type filter hook forward priority filter - 10; policy accept;
ct state new ip saddr 192.168.100.100 ip daddr 192.168.0.0/16 drop
}
}
However, I've been having trouble trying to figure out the correct way to do this for
firewalld. I know I can move the VM IP to its own zone, and I can then block input, but I
couldn't figure out how to write a forward deny rule.
What is the recommended way to handle dropping forwarded packets?
Policy objects are available in v0.9.0 and later. They allow forward and
output filtering.
- https://firewalld.org/2020/09/policy-objects-introduction
- https://firewalld.org/2020/09/policy-objects-filtering-container-and-vm-t...
You probably want something like this (untested):
# firewalld-cmd --permanent --add-policy noForwardToLan
# firewalld-cmd --permanent --policy noForwardToLan --add-ingress-zone
<zone_of_vm>
# firewalld-cmd --permanent --policy noForwardToLan --add-egress-zone
<zone_of_lan>
# firewalld-cmd --permanent --policy noForwardToLan --set-target REJECT
This will reject all traffic originating from <zone_of_vm> and destined
to <zone_of_lan>. It would allow the VM to connect to the internet if
your uplink is in yet another zone, e.g. public or external.
Hope that helps.
Eric.
4:32 p.m.
Hi Eric and Andrei,
Thank you for the info and the examples. Just one quick follow up question - can I define
a zone based on outbound IP addresses?
In my case, the computer hosting the VMs is connected to the LAN but doesn't have a
direct connection to the wider internet (it's behind a router). I was enforcing the
'no LAN traffic' in nftables blocking any forwarded traffic from the VM to
192.168.0.0/16.
So, if I wanted to define an egress zone using policies, I assume I'd need to make a
zone out of the LAN IP range, correct? I know I can make inbound zones based on IP range
sources, but can I make one for outbound traffic too (saying that traffic bound for
192.168.0.0/16 is the 'lan' zone and traffic bound for elsewhere is not?)
12:22 a.m.
On Tue, Jan 4, 2022 at 1:32 AM Sean Zimmermann <sz2243(a)gmail.com> wrote:
Hi Eric and Andrei,
Thank you for the info and the examples. Just one quick follow up question - can I define
a zone based on outbound IP addresses?
No. Zone is for filtering incoming traffic.
In my case, the computer hosting the VMs is connected to the LAN but
doesn't have a direct connection to the wider internet (it's behind a router). I
was enforcing the 'no LAN traffic' in nftables blocking any forwarded traffic from
the VM to 192.168.0.0/16.
So, if I wanted to define an egress zone using policies, I assume I'd need to make a
zone out of the LAN IP range, correct? I know I can make inbound zones based on IP range
sources, but can I make one for outbound traffic too (saying that traffic bound for
192.168.0.0/16 is the 'lan' zone and traffic bound for elsewhere is not?)
Policies support rich rules, so you can define policy with the most
common default target (e.g. ACCEPT or REJECT) and use rich rules to
restrict/allow traffic to specific destination(s).
837
days inactive
841
days old
firewalld-users@lists.fedorahosted.org
4 comments
3 participants
participants (3)
-
Andrei Borzenkov -
Eric Garver -
Sean Zimmermann