[prev in list] [next in list] [prev in thread] [next in thread]
List: firewalld-users
Subject: Re: Rich rules of blocking traffic to a specific IP seem not to work
From: summersnow <summersnow9403 () gmail ! com>
Date: 2021-12-28 19:44:20
Message-ID: 856b3ad2-b76f-5a85-cd53-57f69440f0ef () gmail ! com
[Download RAW message or body]
Hi Eric,
Thanks! I tried the following command:
# firewall-cmd --permanent --new-policy myOutputPolicy
# firewall-cmd --permanent --policy myOutputPolicy --add-ingress-zone HOST
# firewall-cmd --permanent --policy myOutputPolicy --add-egress-zone public
# firewall-cmd --permanent --add-rich-rule='rule family="ipv4"
destination address="4.2.2.1" reject'
# firewall-cmd --permanent --policy myOutputPolicy --add-rich-rule='rule
family="ipv4" destination address="4.2.2.1" reject'
but I can still send DNS query to 4.2.2.1 . Running firewall-cmd
--list-all shows:
public (active)
target: default
icmp-block-inversion: no
interfaces: wlp4s0
sources:
services: dhcpv6-client
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" destination address="4.2.2.1" reject
and running firewall-cmd --list-all-policies shows:
allow-host-ipv6 (active)
priority: -15000
target: CONTINUE
ingress-zones: ANY
egress-zones: HOST
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv6" icmp-type name="neighbour-advertisement" accept
rule family="ipv6" icmp-type name="neighbour-solicitation" accept
rule family="ipv6" icmp-type name="router-advertisement" accept
rule family="ipv6" icmp-type name="redirect" accept
myOutputPolicy (active)
priority: -1
target: CONTINUE
ingress-zones: HOST
egress-zones: public
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" destination address="4.2.2.1" reject
Did I do something wrong? Do I need to change the target of
myOutputPolicy? I used iptables as the backend of firewalld, and the
output of iptables -L -n is in https://paste.opensuse.org/80095661
Thanks
On 12/28/21 12:49, Eric Garver wrote:
> On Fri, Dec 24, 2021 at 04:28:23AM -0600, Snow Summer wrote:
>> Hello,
>>
>> I am trying to block all kinds (TCP/UDP/ICMP and so on) of network traffic
>> from/to a specific IP address, and I have used the IP 4.2.2.1 as a
>> test. My firewall-cmd
>> --list-all shows:
>>
>> root@summersnow # firewall-cmd --list-all
>> public (active)
>> target: default
>> icmp-block-inversion: no
>> interfaces: wlp4s0
>> sources:
>> services: dhcpv6-client
>> ports:
>> protocols:
>> forward: yes
>> masquerade: no
>> forward-ports:
>> source-ports:
>> icmp-blocks:
>> rich rules:
>> rule family="ipv4" destination address="4.2.2.1" drop
>> rule family="ipv4" source address="4.2.2.1" drop
>> rule family="ipv4" source address="4.2.2.1" reject
>> rule family="ipv4" destination address="4.2.2.1" reject
>>
>> However, I can confirm that I can still receive DNS responses from it by:
>>
>> root@summersnow # nslookup twitter.com 4.2.2.1
>> Server: 4.2.2.1
>> Address: 4.2.2.1#53
>>
>> Non-authoritative answer:
>> Name: twitter.com
>> Address: 104.244.42.65
>> Name: twitter.com
>> Address: 104.244.42.129
>>
>> The rich rules above seem not working properly. Any ideas?
> Hi! It looks like you're trying to do outbound/OUTPUT filtering. Zones
> filter traffic received from the zone and destined to the host
> (inbound/INPUT).
>
> firewalld supports outbound filtering via policies.
>
> You can learn about them here:
> - https://firewalld.org/2020/09/policy-objects-introduction
> - https://firewalld.org/2020/09/policy-objects-filtering-container-and-vm-traffic
>
>
> SOLUTION:
>
> For your use case you probably want something like the following:
>
> # firewall-cmd --permanent --new-policy myOutputPolicy
> # firewall-cmd --permanent --policy myOutputPolicy --add-ingress-zone HOST
> # firewall-cmd --permanent --policy myOutputPolicy --add-egress-zone public
> # firewall-cmd --permanent --add-rich-rule='rule family="ipv4" destination address="4.2.2.1" reject'
>
> This will apply your rich rule to traffic originating from the node
> running firewalld and destined to the public zone.
>
>
> Notice I omitted these two rules:
>
>> rule family="ipv4" source address="4.2.2.1" drop
>> rule family="ipv4" source address="4.2.2.1" reject
> That's because your public zone will filter these out by default. There
> is no need to explicitly reject them.
>
> I also omitted:
>
>> rule family="ipv4" destination address="4.2.2.1" drop
> because it's already covered by the similar "reject" rule. You should
> prefer "reject" over "drop" so an ICMP packet is returned and the
> connection attempt fails gracefully (and quickly).
>
_______________________________________________
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org
To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic