Re: Killing existing connections with firewall-cmd (F31)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thorsten Schubert writes:
On Thu, May 7, 2020 at 12:12 AM Sam Varshavchik <mrsam@xxxxxxxxxxxxxxx> wrote: 
> Is there a way with firewall-cmd to /really/ block an IP address, new or
> established connections, or is manually adding an iptables rule my only
> option?

You can bypass connection tracking for dropping existing connections
by adding a rule in the *raw* or *mangle* table when using the
iptables backend. The fastest way I know of, is to add a direct rule:



A more efficient way would be to use ipsets:

    firewall-cmd --permanent --zone=drop --add-source=ipset:blacklist
    firewall-cmd --permanent --ipset=blacklist --add-entry=1.2.3.4
    firewall-cmd --permanent --ipset=blacklist --add-entry=4.3.2.1

This should terminate any existing connection and prevent new ones.
I haven't done much testing, but this does not seem to be quite right. After creating and adding the ipset, iptables -n -L still shows me: 

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT all – 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED,DNAT 

and

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT all – 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED,DNAT
So, if the packet is already for an established connection, looks like it will be accepted or forwarded right off the bat.
Now, after those, existing rules, rules follow that pull in other chains, such as INPUT_ZONES, and FORWARD_IN_ZONES, where I see a rule referencing the blacklist ipset. So, this will reject new connections, for sure, but looks like packets for existing, established connections will still be forwarded. Or maybe I am misinterpreting what an ACCEPT for "RELATED,ESTABLISHED,DNAT" does.

Attachment: pgpLQwfSioVBo.pgp
Description: PGP signature

_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux