CentOS - Jul 2016 - How to block routing/forwarding with firewalld

On CentOS 7 with firewalld I have a box with numerous interfaces acting 
as a NAT gateway.  This works but I noticed that it routes/forwards 
traffic not just from my internal zone to external zone but also between 
interfaces within the internal zone.  How can I prevent that traffic?

I've tried adding direct and rich rules to deny the traffic but it 
doesn't work.  Direct:

firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -s 10.110.4.0/22 -d 
10.110.0.0/22 -j REJECT

That command works, and I see it in `iptables -L` but traffic is still 
allowed.  Rich:

# firewall-cmd --zone=trusted --add-rich-rule='rule family=ipv4 source 
address=10.110.4.0/22 destination address=10.110.0.0/22 reject'
Error: INVALID_RULE: destination action

I can't find any explanation of what that error means.  So, how do you 
tell firewalld to stop forwarding traffic between interfaces?



# firewall-cmd --get-active-zones
public
   interfaces: ens161 ens193
trusted
   interfaces: ens192 ens224 ens256 lo

# firewall-cmd --list-all
public (default, active)
   interfaces: ens161 ens193
   sources:
   services: dhcpv6-client ssh
   ports:
   masquerade: yes
   forward-ports:
   icmp-blocks:
   rich rules:

-- 
Jeff White
HPC Systems Engineer
Information Technology Services - WSU

--On Tuesday, July 12, 2016 11:20 AM -0700 Jeff White <jeff.white at
wsu.edu>
wrote:
> how do you tell firewalld to stop forwarding traffic between interfaces?
(Caveat: I'm a firewalld virgin so know only what I've read.)

I believe firewalld works in terms of "zones", not interfaces. An
interface
belongs to a zone. So you need to create new zones that contain each 
interface you want to isolate, based on the default zone properties. You 
can then issue rules based on those zones.

On 12/07/16 18:20, Jeff White wrote:
> On CentOS 7 with firewalld I have a box with numerous 
> interfaces acting as a NAT gateway.  This works but I 
> noticed that it routes/forwards traffic not just from my 
> internal zone to external zone but also between interfaces 
> within the internal zone.  How can I prevent that traffic?
>
> I've tried adding direct and rich rules to deny the 
> traffic but it doesn't work.  Direct:
>
> firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -s 
> 10.110.4.0/22 -d 10.110.0.0/22 -j REJECT
>
> That command works, and I see it in `iptables -L` but 
> traffic is still allowed.  Rich:
>
> # firewall-cmd --zone=trusted --add-rich-rule='rule 
> family=ipv4 source address=10.110.4.0/22 destination 
> address=10.110.0.0/22 reject'
> Error: INVALID_RULE: destination action
>
> I can't find any explanation of what that error means.  
> So, how do you tell firewalld to stop forwarding traffic 
> between interfaces?
>
>
>
> # firewall-cmd --get-active-zones
> public
>   interfaces: ens161 ens193
> trusted
>   interfaces: ens192 ens224 ens256 lo
>
> # firewall-cmd --list-all
> public (default, active)
>   interfaces: ens161 ens193
>   sources:
>   services: dhcpv6-client ssh
>   ports:
>   masquerade: yes
>   forward-ports:
>   icmp-blocks:
>   rich rules:
>
yes, to me too it sort of defines basic logic - one would 
expect to be able with a "rich rule" to block/ban a host 
(actually there are quite few articles on the net stating it 
should be doing that)

public (active)
   interfaces: em3
   sources:
   services: dhcpv6-client ssh
   ports:
   masquerade: yes
   forward-ports:
   icmp-blocks:
   rich rules:
         rule family="ipv4" source address="192.168.2.0/24" 
reject

yet host from 192.168.2.0/24 (which is firewalld's zone 
work) are able to masquerade and access all (in this case 
whole Internet) behind em3 interface.
It smells like a bug to me.