'Re: Rich rules of blocking traffic to a specific IP seem not to work'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalld-users
Subject:    Re: Rich rules of blocking traffic to a specific IP seem not to work
From:       summersnow <summersnow9403 () gmail ! com>
Date:       2021-12-28 19:44:20
Message-ID: 856b3ad2-b76f-5a85-cd53-57f69440f0ef () gmail ! com
[Download RAW message or body]

Hi Eric,

Thanks! I tried the following command:

# firewall-cmd --permanent --new-policy myOutputPolicy
# firewall-cmd --permanent --policy myOutputPolicy --add-ingress-zone HOST
# firewall-cmd --permanent --policy myOutputPolicy --add-egress-zone public
# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" 
destination address="4.2.2.1" reject'
# firewall-cmd --permanent --policy myOutputPolicy --add-rich-rule='rule 
family="ipv4" destination address="4.2.2.1" reject'

but I can still send DNS query to 4.2.2.1 . Running firewall-cmd 
--list-all shows:

public (active)
   target: default
   icmp-block-inversion: no
   interfaces: wlp4s0
   sources:
   services: dhcpv6-client
   ports:
   protocols:
   forward: yes
   masquerade: no
   forward-ports:
   source-ports:
   icmp-blocks:
   rich rules:
     rule family="ipv4" destination address="4.2.2.1" reject

and running firewall-cmd --list-all-policies shows:

allow-host-ipv6 (active)
   priority: -15000
   target: CONTINUE
   ingress-zones: ANY
   egress-zones: HOST
   services:
   ports:
   protocols:
   masquerade: no
   forward-ports:
   source-ports:
   icmp-blocks:
   rich rules:
     rule family="ipv6" icmp-type name="neighbour-advertisement" accept
     rule family="ipv6" icmp-type name="neighbour-solicitation" accept
     rule family="ipv6" icmp-type name="router-advertisement" accept
     rule family="ipv6" icmp-type name="redirect" accept

myOutputPolicy (active)
   priority: -1
   target: CONTINUE
   ingress-zones: HOST
   egress-zones: public
   services:
   ports:
   protocols:
   masquerade: no
   forward-ports:
   source-ports:
   icmp-blocks:
   rich rules:
     rule family="ipv4" destination address="4.2.2.1" reject

Did I do something wrong? Do I need to change the target of 
myOutputPolicy? I used iptables as the backend of firewalld, and the 
output of iptables -L -n is in https://paste.opensuse.org/80095661

Thanks


On 12/28/21 12:49, Eric Garver wrote:
> On Fri, Dec 24, 2021 at 04:28:23AM -0600, Snow Summer wrote:
>> Hello,
>>
>> I am trying to block all kinds (TCP/UDP/ICMP and so on) of network traffic
>> from/to a specific IP address, and I have used the IP 4.2.2.1 as a
>> test. My firewall-cmd
>> --list-all shows:
>>
>> root@summersnow # firewall-cmd --list-all
>> public (active)
>>    target: default
>>    icmp-block-inversion: no
>>    interfaces: wlp4s0
>>    sources:
>>    services: dhcpv6-client
>>    ports:
>>    protocols:
>>    forward: yes
>>    masquerade: no
>>    forward-ports:
>>    source-ports:
>>    icmp-blocks:
>>    rich rules:
>> rule family="ipv4" destination address="4.2.2.1" drop
>> rule family="ipv4" source address="4.2.2.1" drop
>> rule family="ipv4" source address="4.2.2.1" reject
>> rule family="ipv4" destination address="4.2.2.1" reject
>>
>> However, I can confirm that I can still receive DNS responses from it by:
>>
>> root@summersnow # nslookup twitter.com 4.2.2.1
>> Server:		4.2.2.1
>> Address:	4.2.2.1#53
>>
>> Non-authoritative answer:
>> Name:	twitter.com
>> Address: 104.244.42.65
>> Name:	twitter.com
>> Address: 104.244.42.129
>>
>> The rich rules above seem not working properly. Any ideas?
> Hi! It looks like you're trying to do outbound/OUTPUT filtering. Zones
> filter traffic received from the zone and destined to the host
> (inbound/INPUT).
>
> firewalld supports outbound filtering via policies.
>
> You can learn about them here:
>    - https://firewalld.org/2020/09/policy-objects-introduction
>    - https://firewalld.org/2020/09/policy-objects-filtering-container-and-vm-traffic
>
>
> SOLUTION:
>
> For your use case you probably want something like the following:
>
>    # firewall-cmd --permanent --new-policy myOutputPolicy
>    # firewall-cmd --permanent --policy myOutputPolicy --add-ingress-zone HOST
>    # firewall-cmd --permanent --policy myOutputPolicy --add-egress-zone public
>    # firewall-cmd --permanent --add-rich-rule='rule family="ipv4" destination address="4.2.2.1" reject'
>
> This will apply your rich rule to traffic originating from the node
> running firewalld and destined to the public zone.
>
>
> Notice I omitted these two rules:
>
>> rule family="ipv4" source address="4.2.2.1" drop
>> rule family="ipv4" source address="4.2.2.1" reject
> That's because your public zone will filter these out by default. There
> is no need to explicitly reject them.
>
> I also omitted:
>
>> rule family="ipv4" destination address="4.2.2.1" drop
> because it's already covered by the similar "reject" rule. You should
> prefer "reject" over "drop" so an ICMP packet is returned and the
> connection attempt fails gracefully (and quickly).
>
_______________________________________________
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org
To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic