Firewalld OutBound rules

Latest response

Hi,

Can anyone help, I'm trying to limit the communication a host has with its local subnet as it sits in the DMZ. Rich rules and services inbound work. I'm aware direct rules have to be used for outbound rules but they generally seem to be service based or drop all. Can I sepcify all to local subnet drop with the exception of the default gateway?

Responses

With direct rules, you can do everything you could do with the old iptables.

Something like this should do what you want (assuming that outgoing interface is eth0, network is 10.0.2.0/24 and gateway is at 10.0.2.2):

# firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o eth0 -d 10.0.2.2 -j ACCEPT
# firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -o eth0 -d 10.0.2.0/24 -j DROP

The first rule will allow packets explicitly addressed to the gateway (e.g. pinging the gateway for diagnostic), the second one will drop everything addressed to anything else on the local segment. Outgoing packets with a destination outside the local network segment will have a destination address saying so, and thus they will pass both these rules without matching.

Test first to make sure the rules do what you want, then add --permanent to the commands store the rules persistently. If something goes wrong, firewall-cmd --direct --remove-rules ipv4 filter OUTPUT will remove the direct rules without rebooting and without touching any other firewall settings.

On IPv4, ARP is not restricted by iptables, so you get that "for free". On IPv6, you may have to explicitly allow multicast addresses that are required for protocol functionality: the equivalent of ARP in IPv6 is ICMPv6 Neighbor Solicitation, which is handled as IPv6 multicast.

Thats great - thanks I will test your solution

That seems to work. One other question is how do I log just for these rules? is it similar to rich rules where I can add something like log level=notice prefix="FIREWALL DROP " limit value="50/m reject'

The --direct rules are essentially straight iptables rules, so you'll need two rules with the same matching criteria, first with target LOG and then the second with DROP or REJECT. Here's the previous example with a logging rule added:

# firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o eth0 -d 10.0.2.2 -j ACCEPT
# firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -o eth0 -d 10.0.2.0/24 -m limit --limit 50/m -j LOG --log-level notice --log-prefix="FIREWALL DROP: "
# firewall-cmd --direct --add-rule ipv4 filter OUTPUT 2 -o eth0 -d 10.0.2.0/24 -j DROP

Just checked again it actually doesn't work. I can still get to hosts in the same subnet

Perhaps you haven't disabled IPv6, and have avahi-daemon or equivalent running on the hosts? Then the systems might be using IPv6 with autoconfigured link-local addresses and Avahi/Bonjour/Zeroconf/MDNS-based same-subnet name service.

If IPv6 has not been disabled, a RHEL 7 default installation is perfectly capable of using it and in fact prefers it over IPv4.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.