Say I want to drop/reject outgoing connections to a particular destination address (for parental control). How would I do this with firewalld? I tried firewall-cmd --permanent --add-rich-rule="rule family='ipv4' protocol value="tcp" destination address='aa.bb.0.0/16' reject" firewall-cmd --reload Then, firewall-cmd --zone=FedoraWorkstation --list-all FedoraWorkstation (active) target: default icmp-block-inversion: no interfaces: enp8s0 sources: services: dhcpv6-client ftp mdns mountd nfs rpc-bind samba-client ssh ports: 1025-65535/udp 1025-65535/tcp protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" destination address="aa.bb.0.0/16" protocol value="tcp" reject does show that the rule was added. However, I was still able to connect to the destination with no issues. In the past I did that with iptables and I can probably still do that now, but I think nowadays we're supposed to use firewalld, via firewall-cmd or firewall-config. The problem with firewalld is that it has zones, which are defined based either on network interfaces or on IP sources (or ranges), but not on the destination IP. See e.g. https://www.linuxjournal.com/content/ understanding-firewalld-multi-zone-configurations . What I need is to filter based on the destination address. I found this post saying that it's actually not easy to filter based on destination address with firewalld, and that we'd have to use firewall-cmd --direct to inject the filter rule directly into iptables: https://serverfault.com/questions/918754/firewalld-stop-outgoing-traffic- to-a-particular-ip-address But then, the documentation for firewalld.direct says this is deprecated. What I think needs to happen is this: 1. duplicate the default zone (Fedora Workstation) to, say, Parental Control 2. In the Parental Control zone add the drop rule to the specific destinations 3. switch between Fedora Workstation and Parental Control as needed. How can this be done? _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
