I didn't know that /etc/firewalld/direct.xml file exists. And I didn't know that
rules added through the direct interface can be made permanent.
The thing is that I'm preparing for the RHCE (RHEL 7) exam. And there aren't any
study guides out there for this version yet. So the first place I go for information is
the official Red Hat documentation for RHEL 7
[
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/].
Here
[
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/...]
in the second paragraph of the 'Understandin the Direct Interface' section of the
'Security Guide'. It says that 'The direct interface mode is intended for
services or applications to add specific firewall rules during run time. The rules are not
permanent and need to be applied every time after receiving the start, restart or reload
message from firewalld using D-BUS.'
Then later in the same document
[
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/...]
the note under the 'Configuring the Firewall Using the Command Line Tool,
firewall-cmd' says that 'In order to make a command permanent or persistent, add
the --permanent option to all commands apart from the --direct commands (which are by
their nature temporary).'
Now I see that those statements are either outdated or simply incorrect. I'll take a
closer look on the direct interface. Thanks for pointing it out for me. I think that is
what I need for limiting outgoing traffic.
Rufe
On 10/13/2014 7:25:50 AM, Jiri Popelka <jpopelka(a)redhat.com> wrote:
On 10/06/2014 07:41 PM, Rufe Glick wrote:
While skimming through this mailing list's archives I saw that
this
question was raised a couple of times. And last time in August of this
year Jiri reiterated that "So far we don't handle outbound traffic in
firewalld".
So if I still need to limit outgoing traffic what is the best way to
proceed? I could probably use the direct interface. But then I'll have
to write a daemon that'll handle reload\reboot events of firewalld to
re-add the rules. That sounds a bit complicated.
Have you known that 'direct' configuration can be stored in
/etc/firewalld/direct.xml ?
see firewalld.direct man page.
Or you can use firewall-cmd like for example:
$ firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p
tcp -m tcp --sport 1234 -j DROP
Or perhaps I don't understand your use case.
The only solution I see is to disable the firewalld service
altogether
and fall back to iptables service.
Any other ideas?
Also in my opinion a full value firewall solution has to have an
ability to limit outgoing traffic. Are there plans to incorporate this
functionality any time soon?
None that I know of.
--
Jiri