4

I have centos 7. I'm trying to stop all outbound traffic from a server to a specific ip address, but firewalld is not blocking the traffic. Here's what I did:

[root@server network-scripts]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens192
  sources:
  services: dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" destination address="134.223.116.100" drop

[root@server network-scripts]# firewall-cmd --get-active-zones
public
  interfaces: ens192

[root@server network-scripts]# firewall-cmd --state
running

But I can still curl to the ip address, so what is wrong?

[root@server network-scripts]# curl 134.223.116.100
<HTML><HEAD>
<TITLE>Access Denied</TITLE>
leontp587
  • 141
  • 1
  • 2

1 Answers1

6

I don't like debugging firewall issues from a front-end and prefer to look at the actual rule sets with [sudo] iptables -L -v -n or [sudo] iptables-save.
I think that will show that your rich rule is still only applied to incoming connections, rather than outgoing.

To use firewalld for anything but incoming traffic is AFAIK rather difficult to achieve and you may have to resort to direct rules 

 sudo firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -d 134.223.116.100/32  -j REJECT
HBruijn
  • 72,524
  • 21
  • 127
  • 192