thr3ads.net - CentOS - [CentOS] Drop/Terminate data to/from source using firewalld rich rules [Nov 2018]

If this information is useful, please help other people find it:
Share via:

Mike

2018-Nov-11 15:48 UTC

[CentOS] Drop/Terminate data to/from source using firewalld rich rules

I need to be able to temporarily cut off the source of network slowdowns.

What I used to do:
Router with 2 x NICs running slackware 14.
Execute iptraf-ng, choose IP Network Monitor and sort by Byte Count.
The sorted screen always seemed a bit confusing but I could usually
pluck a couple of IP addresses with racing byte counts and cut all
traffic to them using an iptables rule.
Then if I wanted to identify the computer or device, I?d go into the
dhcpd.leases file and look for the ip address and the corresponding
device hostname.
It was a bit of a pain, but it worked.

Now:
Router with 2 x NIC?s running CentOS 7.
Using systemd and firewalld with 2 zones: external (internet-facing)
and internal (LAN-facing).
Now when I try the same thing using firewall-cmd rich rules, it won?t work.

Example:

[root at hello ~]# firewall-cmd --zone=external --list-rich-rules
rule family="ipv4" source address="10.10.1.73/24" drop
rule family="ipv4" source address="40.97.126.210" drop
rule family="ipv4" source address="10.10.1.73/32" drop
rule family="ipv4" source address="40.97.126.210/32" drop

and

[root at hello ~]# firewall-cmd --zone=internal --list-rich-rules
rule family="ipv4" source address="10.10.1.73/24" drop
rule family="ipv4" source address="40.97.126.210" drop
rule family="ipv4" source address="10.10.1.73/32" drop

It didn?t work. The traffic continued to burst away for another hour
before stopping.
The address (40.97.126.210) belongs to Microsoft so I?m not concerned
about publishing it.

What am I doing wrong with firewalld rich rules and how do I properly
drop/terminate traffic to/from a specific source on the LAN?

Current command -
ADD rich rule to drop any traffic in zone "internal" from source ip
address 10.10.1.125:

firewall-cmd --permanent --zone=internal --add-rich-rule='rule
family=ipv4 source address=10.10.1.125/24 drop'
firewall-cmd --reload

REMOVE the same rich rule above:

firewall-cmd --permanent --zone=internal --remove-rich-rule='rule
family=ipv4 source address=10.10.1.125/24 drop'
firewall-cmd --reload

Thank you for reading.

Mike

2018-Nov-12 11:54 UTC

head link

[CentOS] Drop/Terminate data to/from source using firewalld rich rules

A bit embarrassing,I answered my own question almost a year ago on
another forum.
Apologies for the extra mail --

Solution: firewalld-cmd --complete-reload

Maybe Matching Threads

Search for more apparently analagous threads

CentOS - Nov 2018 - Drop/Terminate data to/from source using firewalld rich rules

[CentOS] Drop/Terminate data to/from source using firewalld rich rules

[CentOS] Drop/Terminate data to/from source using firewalld rich rules

Maybe Matching Threads