FedoraForum.org - Fedora Support Forums and Community
Results 1 to 7 of 7
  1. #1
    Join Date
    May 2010
    Posts
    24

    Does firewalld even work? I can't tell

    I was trying to do some testing to see what would happen if a piece of javascript couldn't connect to an external source. So, I blocked the IP address of the remote host using firewalld in my runtime environment using Rich Rules. I could still get there. I tried blocking port 80 to and from that ip. Still worked. systemctl status firewalld -l shows firewalld is active and firewall-cmd --state shows it is running. What the heck is going on? First of all, I want to simply block all traffic between my laptop and this one IP. Second, how can I make sure my laptop isn't wide open at this point? If I can't block an IP, I am pretty concerned that firewalld might not be doing anything. In iptables, this was simple.

  2. #2
    Join Date
    Mar 2014
    Location
    Canada
    Posts
    48

    Re: Does firewalld even work? I can't tell

    If firewalld could not block by IP then there would be many more complaints. Maybe if you post more details then you will get help.

    firewall-cmd --get-default-zone
    firewall-cmd --list-all
    firewall-cmd --list-rich-rules

  3. #3
    Join Date
    May 2010
    Posts
    24

    Re: Does firewalld even work? I can't tell

    I am not in the default zone so I don't imagine the first applies unless the default zone is where the rule should go, even when I am not using it. Here is the info for the other two:

    [root@t460s ~]# firewall-cmd --list-all --zone="home"
    home (active)
    target: default
    icmp-block-inversion: no
    interfaces: wlp4s0
    sources:
    services: ssh mdns samba-client dhcpv6-client
    ports:
    protocols:
    masquerade: no
    forward-ports:
    source-ports:
    icmp-blocks:
    rich rules:
    rule family="ipv4" destination address="50.97.40.233" reject
    rule family="ipv4" source address="50.97.40.233" reject
    [root@t460s ~]# firewall-cmd --list-rich-rules --zone="home"
    rule family="ipv4" destination address="50.97.40.233" reject
    rule family="ipv4" source address="50.97.40.233" reject

  4. #4
    Join Date
    May 2010
    Posts
    24

    Re: Does firewalld even work? I can't tell

    As you can see, the port 80 rule is no longer there. I restarted the service and it was removed since I was just working in the runtime. I just wanted to point that out since I mentioned it in the first post and it isn't there now.
    Last edited by slapshotct; 5th December 2017 at 07:10 PM.

  5. #5
    Join Date
    Mar 2014
    Location
    Canada
    Posts
    48

    Re: Does firewalld even work? I can't tell

    Have you try specifying the protocol in the Rich rule? Remember to reload or restart firewalld.

    protocol=tcp

  6. #6
    Join Date
    May 2010
    Posts
    24

    Re: Does firewalld even work? I can't tell

    Well, I was adding them to the runtime instead of the permanent so when I restart they are lost. I was just doing it to test a scenario where something was preventing access to that ip address. Do Rich Rules only work after restarting the firewall? If that is the case, I suppose I could make them permanent and then remove them after the test. That would be a little odd if that is the case though. I tried specifying the protocol when I did the rule blocking port 80 but I was actually trying to block everything (simulating the remote IP being offline).

  7. #7
    Join Date
    Mar 2014
    Location
    Canada
    Posts
    48

    Re: Does firewalld even work? I can't tell

    I tested blocking a lan ip with rich rule on running firewalld config and it works as expected. At this point I would suggest making sure home zone is activated, run a packet trace to see that source ip matches. You can also look at the iptables rules.

    iptables -S | tee ~/firewalld_iptables_rules
    ip6tables -S | tee ~/firewalld_ip6tables_rules

Similar Threads

  1. Firewalld has no canary in F20?
    By IvanHomeless in forum Using Fedora
    Replies: 1
    Last Post: 19th July 2014, 10:55 AM
  2. firewalld
    By glennzo in forum Servers & Networking
    Replies: 10
    Last Post: 4th May 2014, 02:06 PM
  3. firewalld allow ssh only from known ip address
    By BostonDriver in forum Servers & Networking
    Replies: 1
    Last Post: 25th October 2013, 04:34 PM
  4. Firewalld
    By MilenKid in forum Servers & Networking
    Replies: 4
    Last Post: 21st April 2013, 05:35 AM
  5. FirewallD
    By Evil-I in forum Using Fedora
    Replies: 25
    Last Post: 12th October 2012, 01:04 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •