Say I want to drop/reject outgoing connections to a particular destination
address (for parental control). How would I do this with firewalld?
I tried
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' protocol
value="tcp" destination address='aa.bb.0.0/16' reject"
firewall-cmd --reload
Then,
firewall-cmd --zone=FedoraWorkstation --list-all
FedoraWorkstation (active)
target: default
icmp-block-inversion: no
interfaces: enp8s0
sources:
services: dhcpv6-client ftp mdns mountd nfs rpc-bind samba-client ssh
ports: 1025-65535/udp 1025-65535/tcp
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" destination address="aa.bb.0.0/16" protocol
value="tcp" reject
does show that the rule was added. However, I was still able to connect to
the destination with no issues.
In the past I did that with iptables and I can probably still do that now,
but I think nowadays we're supposed to use firewalld, via firewall-cmd or
firewall-config.
The problem with firewalld is that it has zones, which are defined based
either on network interfaces or on IP sources (or ranges), but not on the
destination IP. See e.g. https://www.linuxjournal.com/content/
understanding-firewalld-multi-zone-configurations . What I need is to
filter based on the destination address.
I found this post saying that it's actually not easy to filter based on
destination address with firewalld, and that we'd have to use firewall-cmd
--direct to inject the filter rule directly into iptables:
https://serverfault.com/questions/918754/firewalld-stop-outgoing-traffic-
to-a-particular-ip-address
But then, the documentation for firewalld.direct says this is deprecated.
What I think needs to happen is this:
1. duplicate the default zone (Fedora Workstation) to, say, Parental
Control
2. In the Parental Control zone add the drop rule to the specific
destinations
3. switch between Fedora Workstation and Parental Control as needed.
How can this be done?
_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
