PDA

View Full Version : Does firewalld even work? I can't tell



slapshotct
5th December 2017, 05:43 PM
I was trying to do some testing to see what would happen if a piece of javascript couldn't connect to an external source. So, I blocked the IP address of the remote host using firewalld in my runtime environment using Rich Rules. I could still get there. I tried blocking port 80 to and from that ip. Still worked. systemctl status firewalld -l shows firewalld is active and firewall-cmd --state shows it is running. What the heck is going on? First of all, I want to simply block all traffic between my laptop and this one IP. Second, how can I make sure my laptop isn't wide open at this point? If I can't block an IP, I am pretty concerned that firewalld might not be doing anything. In iptables, this was simple.

gjaltemba
5th December 2017, 06:49 PM
If firewalld could not block by IP then there would be many more complaints. Maybe if you post more details then you will get help.

firewall-cmd --get-default-zone
firewall-cmd --list-all
firewall-cmd --list-rich-rules

slapshotct
5th December 2017, 06:58 PM
I am not in the default zone so I don't imagine the first applies unless the default zone is where the rule should go, even when I am not using it. Here is the info for the other two:

[root@t460s ~]# firewall-cmd --list-all --zone="home"
home (active)
target: default
icmp-block-inversion: no
interfaces: wlp4s0
sources:
services: ssh mdns samba-client dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" destination address="50.97.40.233" reject
rule family="ipv4" source address="50.97.40.233" reject
[root@t460s ~]# firewall-cmd --list-rich-rules --zone="home"
rule family="ipv4" destination address="50.97.40.233" reject
rule family="ipv4" source address="50.97.40.233" reject

slapshotct
5th December 2017, 07:00 PM
As you can see, the port 80 rule is no longer there. I restarted the service and it was removed since I was just working in the runtime. I just wanted to point that out since I mentioned it in the first post and it isn't there now.

gjaltemba
5th December 2017, 08:17 PM
Have you try specifying the protocol in the Rich rule? Remember to reload or restart firewalld.

protocol=tcp

slapshotct
5th December 2017, 09:25 PM
Well, I was adding them to the runtime instead of the permanent so when I restart they are lost. I was just doing it to test a scenario where something was preventing access to that ip address. Do Rich Rules only work after restarting the firewall? If that is the case, I suppose I could make them permanent and then remove them after the test. That would be a little odd if that is the case though. I tried specifying the protocol when I did the rule blocking port 80 but I was actually trying to block everything (simulating the remote IP being offline).

gjaltemba
6th December 2017, 07:21 PM
I tested blocking a lan ip with rich rule on running firewalld config and it works as expected. At this point I would suggest making sure home zone is activated, run a packet trace to see that source ip matches. You can also look at the iptables rules.

iptables -S | tee ~/firewalld_iptables_rules
ip6tables -S | tee ~/firewalld_ip6tables_rules