I need to be able to temporarily cut off the source of network slowdowns. What I used to do: Router with 2 x NICs running slackware 14. Execute iptraf-ng, choose IP Network Monitor and sort by Byte Count. The sorted screen always seemed a bit confusing but I could usually pluck a couple of IP addresses with racing byte counts and cut all traffic to them using an iptables rule. Then if I wanted to identify the computer or device, I’d go into the dhcpd.leases file and look for the ip address and the corresponding device hostname. It was a bit of a pain, but it worked.
Now: Router with 2 x NIC’s running CentOS 7. Using systemd and firewalld with 2 zones: external (internet-facing) and internal (LAN-facing). Now when I try the same thing using firewall-cmd rich rules, it won’t work. Example: [root@hello ~]# firewall-cmd --zone=external --list-rich-rules rule family="ipv4" source address="10.10.1.73/24" drop rule family="ipv4" source address="40.97.126.210" drop rule family="ipv4" source address="10.10.1.73/32" drop rule family="ipv4" source address="40.97.126.210/32" drop and [root@hello ~]# firewall-cmd --zone=internal --list-rich-rules rule family="ipv4" source address="10.10.1.73/24" drop rule family="ipv4" source address="40.97.126.210" drop rule family="ipv4" source address="10.10.1.73/32" drop It didn’t work. The traffic continued to burst away for another hour before stopping. The address (40.97.126.210) belongs to Microsoft so I’m not concerned about publishing it. What am I doing wrong with firewalld rich rules and how do I properly drop/terminate traffic to/from a specific source on the LAN? Current command - ADD rich rule to drop any traffic in zone "internal" from source ip address 10.10.1.125: firewall-cmd --permanent --zone=internal --add-rich-rule='rule family=ipv4 source address=10.10.1.125/24 drop' firewall-cmd --reload REMOVE the same rich rule above: firewall-cmd --permanent --zone=internal --remove-rich-rule='rule family=ipv4 source address=10.10.1.125/24 drop' firewall-cmd --reload Thank you for reading. _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
