Block all traffic in firewalld

Issues related to configuring your network
Post Reply
CNoob
Posts: 28
Joined: 2018/03/17 15:43:08

Block all traffic in firewalld

Post by CNoob » 2018/03/30 06:47:54

i use firewall-cmd, my default zone is block. But all Applications (like Firefox) have access to the internet. Firewalld is active. Why?
There i no rule in firewalld-cmd to allow this.

i want to block all traffic (in and out) for a specific interface like enp0s3 and allow outgoing only for tun0. how can i do this?

aks
Posts: 2529
Joined: 2014/09/20 11:22:14

Re: Block all traffic in firewalld

Post by aks » 2018/03/30 11:31:34

firewall-cmd --panic-on

CNoob
Posts: 28
Joined: 2018/03/17 15:43:08

Re: Block all traffic in firewalld

Post by CNoob » 2018/03/30 11:55:06

that blocks all traffic. i want to block all traffic only for a specific device like enp0s3

i can not find a method to show or add block rules for outgoing traffic in firewall-cmd

aks
Posts: 2529
Joined: 2014/09/20 11:22:14

Re: Block all traffic in firewalld

Post by aks » 2018/04/01 11:16:30

I guess you could setup a rich rule to drop traffic at the layer 3 (i.e.: ip level), NOT layer 2 (i.e.: interface). Store that in a new zone and then switch zones when needed.

CNoob
Posts: 28
Joined: 2018/03/17 15:43:08

Re: Block all traffic in firewalld

Post by CNoob » 2018/04/02 07:02:50

thank you.

User avatar
jlehtone
Posts: 1959
Joined: 2007/12/11 08:17:33
Location: Finland

Re: Block all traffic in firewalld

Post by jlehtone » 2018/04/03 10:03:43

If you don't want any traffic on an interface, then the trivial solution is to take that interface down. No interface => no traffic.

However, you do mention an another interface named "tun0". Those are usually created on software, like VPN, and their functionality does require a physical interface too. In other words, blocking the underlying physical interface is likely to affect the logical interfaces too.

hunter86_bg
Posts: 1222
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: Block all traffic in firewalld

Post by hunter86_bg » 2018/04/10 04:17:57

Another option I have read about is to use SELinux to tag the traffic from specific SELinux domains and filter that with IPTABLES.

Post Reply