Hi Eric,
Thank you so much! The commands work after rebooting. However, I still cannot figure out why simply using:
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="4.2.2.1" reject'
would not block all incoming DNS responses from 4.2.2.1. I think that by either filtering the incoming packets by IP of source, or outgoing packets by the IP of destination (using the outbound filtering you have mentioned), my computer cannot query 4.2.2.1 for DNS responses. Is that right?
Thanks again for your help
On Mon, Jan 3, 2022 at 7:56 AM Eric Garver egarver@redhat.com wrote:
I don't see anything wrong. The generated iptables rules look correct. But I couldn't verify the interfaces/counters because -v wasn't used.
Can you use the -v option to iptables to show counters?
# iptables -v -n -L filter # iptables -v -n -L nat # iptables -v -n -L mangle # iptables -v -n -L raw
On Tue, Dec 28, 2021 at 01:44:20PM -0600, summersnow wrote:
Hi Eric,
Thanks! I tried the following command:
# firewall-cmd --permanent --new-policy myOutputPolicy # firewall-cmd --permanent --policy myOutputPolicy --add-ingress-zone
HOST
# firewall-cmd --permanent --policy myOutputPolicy --add-egress-zone
public
# firewall-cmd --permanent --add-rich-rule='rule family="ipv4"
destination
address="4.2.2.1" reject' # firewall-cmd --permanent --policy myOutputPolicy --add-rich-rule='rule family="ipv4" destination address="4.2.2.1" reject'
but I can still send DNS query to 4.2.2.1 . Running firewall-cmd
--list-all
shows:
public (active) target: default icmp-block-inversion: no interfaces: wlp4s0 sources: services: dhcpv6-client ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" destination address="4.2.2.1" reject
and running firewall-cmd --list-all-policies shows:
allow-host-ipv6 (active) priority: -15000 target: CONTINUE ingress-zones: ANY egress-zones: HOST services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv6" icmp-type name="neighbour-advertisement" accept rule family="ipv6" icmp-type name="neighbour-solicitation" accept rule family="ipv6" icmp-type name="router-advertisement" accept rule family="ipv6" icmp-type name="redirect" accept
myOutputPolicy (active) priority: -1 target: CONTINUE ingress-zones: HOST egress-zones: public services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" destination address="4.2.2.1" reject
Did I do something wrong? Do I need to change the target of
myOutputPolicy?
I used iptables as the backend of firewalld, and the output of iptables
-L
-n is in https://paste.opensuse.org/80095661
Thanks
On 12/28/21 12:49, Eric Garver wrote:
On Fri, Dec 24, 2021 at 04:28:23AM -0600, Snow Summer wrote:
Hello,
I am trying to block all kinds (TCP/UDP/ICMP and so on) of network
traffic
from/to a specific IP address, and I have used the IP 4.2.2.1 as a test. My firewall-cmd --list-all shows:
root@summersnow # firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: wlp4s0 sources: services: dhcpv6-client ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" destination address="4.2.2.1" drop rule family="ipv4" source address="4.2.2.1" drop rule family="ipv4" source address="4.2.2.1" reject rule family="ipv4" destination address="4.2.2.1" reject
However, I can confirm that I can still receive DNS responses from
it by:
root@summersnow # nslookup twitter.com 4.2.2.1 Server: 4.2.2.1 Address: 4.2.2.1#53
Non-authoritative answer: Name: twitter.com Address: 104.244.42.65 Name: twitter.com Address: 104.244.42.129
The rich rules above seem not working properly. Any ideas?
Hi! It looks like you're trying to do outbound/OUTPUT filtering. Zones filter traffic received from the zone and destined to the host (inbound/INPUT).
firewalld supports outbound filtering via policies.
You can learn about them here:
https://firewalld.org/2020/09/policy-objects-filtering-container-and-vm-traf...
SOLUTION:
For your use case you probably want something like the following:
# firewall-cmd --permanent --new-policy myOutputPolicy # firewall-cmd --permanent --policy myOutputPolicy
--add-ingress-zone HOST
# firewall-cmd --permanent --policy myOutputPolicy
--add-egress-zone public
# firewall-cmd --permanent --add-rich-rule='rule family="ipv4"
destination address="4.2.2.1" reject'
This will apply your rich rule to traffic originating from the node running firewalld and destined to the public zone.
Notice I omitted these two rules:
rule family="ipv4" source address="4.2.2.1" drop rule family="ipv4" source address="4.2.2.1" reject
That's because your public zone will filter these out by default. There is no need to explicitly reject them.
I also omitted:
rule family="ipv4" destination address="4.2.2.1" drop
because it's already covered by the similar "reject" rule. You should prefer "reject" over "drop" so an ICMP packet is returned and the connection attempt fails gracefully (and quickly).