So after digging a bit more into this,
firewall-cmd --get-active-zone
FedoraWorkstation
interfaces: enp8s0
docker
interfaces: docker0
firewall-cmd --get-default-zone
FedoraWorkstation
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' protocol
value="tcp" destination address='aa.bb.0.0/16' reject"
This shows in
firewall-cmd --list-all # FedoraWorkstation (active)
as well as in nft:
nft list ruleset
chain filter_IN_FedoraWorkstation_deny {
ip daddr a.b.0.0/16 meta l4proto tcp reject with icmp
port-unreachable
}
but it doesn't show in iptables at all.
So I suppose the rule got inserted properly, but why does it not do
anything?
On Sun, 18 Jun 2023 18:15:13 -0000 (UTC), Amadeus WM via users wrote:
> Say I want to drop/reject outgoing connections to a particular
> destination address (for parental control). How would I do this with
> firewalld?
>
> I tried
>
> firewall-cmd --permanent --add-rich-rule="rule family='ipv4' protocol
> value="tcp" destination address='aa.bb.0.0/16' reject"
>
> firewall-cmd --reload
>
> Then,
>
> firewall-cmd --zone=FedoraWorkstation --list-all FedoraWorkstation
> (active)
> target: default icmp-block-inversion: no interfaces: enp8s0 sources:
> services: dhcpv6-client ftp mdns mountd nfs rpc-bind samba-client ssh
> ports: 1025-65535/udp 1025-65535/tcp protocols:
> forward: no masquerade: no forward-ports:
> source-ports:
> icmp-blocks:
> rich rules:
> rule family="ipv4" destination address="aa.bb.0.0/16" protocol
> value="tcp" reject
>
> does show that the rule was added. However, I was still able to connect
> to the destination with no issues.
>
>
> In the past I did that with iptables and I can probably still do that
> now,
> but I think nowadays we're supposed to use firewalld, via firewall-cmd
> or firewall-config.
>
> The problem with firewalld is that it has zones, which are defined based
> either on network interfaces or on IP sources (or ranges), but not on
> the destination IP. See e.g. https://www.linuxjournal.com/content/
> understanding-firewalld-multi-zone-configurations . What I need is to
> filter based on the destination address.
>
>
> I found this post saying that it's actually not easy to filter based on
> destination address with firewalld, and that we'd have to use
> firewall-cmd --direct to inject the filter rule directly into iptables:
>
> https://serverfault.com/questions/918754/firewalld-stop-outgoing-
traffic-
> to-a-particular-ip-address
>
> But then, the documentation for firewalld.direct says this is
> deprecated.
>
> What I think needs to happen is this:
> 1. duplicate the default zone (Fedora Workstation) to, say, Parental
> Control 2. In the Parental Control zone add the drop rule to the
> specific destinations 3. switch between Fedora Workstation and Parental
> Control as needed.
>
> How can this be done?
> _______________________________________________
> users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send
> an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List
> Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List
> Archives:
> https://lists.fedoraproject.org/archives/list/
users@xxxxxxxxxxxxxxxxxxxxxxx
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
