On CentOS 7 with firewalld I have a box with numerous interfaces acting as a NAT gateway. This works but I noticed that it routes/forwards traffic not just from my internal zone to external zone but also between interfaces within the internal zone. How can I prevent that traffic? I've tried adding direct and rich rules to deny the traffic but it doesn't work. Direct: firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -s 10.110.4.0/22 -d 10.110.0.0/22 -j REJECT That command works, and I see it in `iptables -L` but traffic is still allowed. Rich: # firewall-cmd --zone=trusted --add-rich-rule='rule family=ipv4 source address=10.110.4.0/22 destination address=10.110.0.0/22 reject' Error: INVALID_RULE: destination action I can't find any explanation of what that error means. So, how do you tell firewalld to stop forwarding traffic between interfaces? # firewall-cmd --get-active-zones public interfaces: ens161 ens193 trusted interfaces: ens192 ens224 ens256 lo # firewall-cmd --list-all public (default, active) interfaces: ens161 ens193 sources: services: dhcpv6-client ssh ports: masquerade: yes forward-ports: icmp-blocks: rich rules: -- Jeff White HPC Systems Engineer Information Technology Services - WSU
Kenneth Porter
2016-Jul-12 19:02 UTC
[CentOS] How to block routing/forwarding with firewalld
--On Tuesday, July 12, 2016 11:20 AM -0700 Jeff White <jeff.white at wsu.edu> wrote:> how do you tell firewalld to stop forwarding traffic between interfaces?(Caveat: I'm a firewalld virgin so know only what I've read.) I believe firewalld works in terms of "zones", not interfaces. An interface belongs to a zone. So you need to create new zones that contain each interface you want to isolate, based on the default zone properties. You can then issue rules based on those zones.
On 12/07/16 18:20, Jeff White wrote:> On CentOS 7 with firewalld I have a box with numerous > interfaces acting as a NAT gateway. This works but I > noticed that it routes/forwards traffic not just from my > internal zone to external zone but also between interfaces > within the internal zone. How can I prevent that traffic? > > I've tried adding direct and rich rules to deny the > traffic but it doesn't work. Direct: > > firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -s > 10.110.4.0/22 -d 10.110.0.0/22 -j REJECT > > That command works, and I see it in `iptables -L` but > traffic is still allowed. Rich: > > # firewall-cmd --zone=trusted --add-rich-rule='rule > family=ipv4 source address=10.110.4.0/22 destination > address=10.110.0.0/22 reject' > Error: INVALID_RULE: destination action > > I can't find any explanation of what that error means. > So, how do you tell firewalld to stop forwarding traffic > between interfaces? > > > > # firewall-cmd --get-active-zones > public > interfaces: ens161 ens193 > trusted > interfaces: ens192 ens224 ens256 lo > > # firewall-cmd --list-all > public (default, active) > interfaces: ens161 ens193 > sources: > services: dhcpv6-client ssh > ports: > masquerade: yes > forward-ports: > icmp-blocks: > rich rules: >yes, to me too it sort of defines basic logic - one would expect to be able with a "rich rule" to block/ban a host (actually there are quite few articles on the net stating it should be doing that) public (active) interfaces: em3 sources: services: dhcpv6-client ssh ports: masquerade: yes forward-ports: icmp-blocks: rich rules: rule family="ipv4" source address="192.168.2.0/24" reject yet host from 192.168.2.0/24 (which is firewalld's zone work) are able to masquerade and access all (in this case whole Internet) behind em3 interface. It smells like a bug to me.