0

I am trying to get my firewalld to block an ip address with the rules:

  • sudo firewall-cmd --zone=block --add-source=<ip_address/submask> --permanent, and also adding this richrule to the default zone (public)
  • sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address=<ip_address> reject, then finally I reload the rule with sudo firewall-cmd --reload

But still I can navigate to the sites in my browser. Obviously I am doing some thing wrong. How can I block access to any webpage using firewalld.

These are my zone rules set:

block (active)
  interfaces: enp0s3
  sources: 172.217.5.110/32 216.49.176.33/32
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 


public (default, active)
  interfaces: docker0
  sources: 
  services: dhcpv6-client ssh
  ports: 993/tcp 995/udp 995/tcp 22161/udp 4243/tcp 22/tcp 22/udp 465/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:
George Udosen
  • 37,534

1 Answers1

1

Ok after a lot of digging I finally got it to work. It requires I add what is called a direct rule, so to block an ip like 216.49.176.33 the rule to add would be:

sudo firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -d 216.49.176.33/32 -p tcp -m tcp --dport=80 -j DROP

sudo firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -d 216.49.176.33/32 -p tcp -m tcp --dport=443 -j DROP

Then reload with:

sudo firewall-cmd --reload

To see the added rules:

sudo firewall-cmd --direct --get-all-rules

Now remove the interface from the default zone which in my case was public as the rule says if:

if my interface is associated with a zone, in this case public then any requests from that interface will go through since the zone has no restrictions placed on the interface.

The rule used by firewalld is: When packet is received or generated, what zone matches that packet. Then the rules in that zone will be applied to the that packet to determine what happens to it.

To remove I used;

sudo firewall-cmd --permanent --remove-interface=enp0s3
sudo firewall-cmd --reload

NOTE:

After this you will have to clear browsing data from the browser(s) involved and after that you will be unable to access that ip address and note I also used the mask 32 to make sure those ip's that have with multiple ip's pointing to their domain will be block.

I also Of course the CHAIN option can be INPUT to prevent in ward bound traffic as well. The option --dport=<80|443> is used to catch both http and https traffics.

Usage:

usage: --direct --add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>
George Udosen
  • 37,534