Not able to block a website using firewall-cmd rich-rules
$ firewall-cmd --zone=public --list-all
public (default, active)
interfaces: eth0 tun0
sources:
services: dhcpv6-client openvpn ssh
ports: 1194/tcp 1194/udp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="63.236.0.247" drop
rule family="ipv4" source address="63.236.0.239" drop
rule family="ipv4" source address="63.236.0.233" drop
rule family="ipv4" source address="63.236.2.233" drop
rule family="ipv4" source address="63.236.0.249" drop
rule family="ipv4" source address="63.236.0.248" drop
$ wget 89.com
wget 89.com
--2015-07-23 10:33:21-- http://89.com/
Resolving 89.com (89.com)... 63.236.2.233
Connecting to 89.com (89.com)|63.236.2.233|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://www.89.com/ [following]
--2015-07-23 10:33:23-- http://www.89.com/
Resolving www.89.com (www.89.com)... 63.236.0.239, 63.236.0.247, 63.236.0.248, ...
Connecting to www.89.com (www.89.com)|63.236.0.239|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: 'index.html'
[ <=> ] 56,282 77.5KB/s in 0.7s
2015-07-23 10:33:25 (77.5 KB/s) - 'index.html' saved [56282]
I hope to be able to block this website but wget succeeds.
Responses
Expert
823 points
By default, 'firewall-cmd' allows all outbound traffic (which is apparently what you are trying to block?) - there is an implicit "ACCEPT all -- anywhere anywhere cstate RELATED, ESTABLISHED" rule in the underlying 'iptables' rule set.
Your initial command to remove one of the "rich rules" is probably failing (despite the 'success' message) because there doesn't appear to be a rule that matches 'rule family="ipv4" source address="63.236.2.233" reject' (the exiting rule is "drop", not "reject").
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.