Firewalld drop/block large ip address range
CentOS 7
When I execute this drop rule with firewalld: firewall-cmd --zone=external --permanent --add-rich-rule='rule family="ipv4" source address="116.0.0.0/8" drop' ---- It isn't reported in iptables -nvL But if I block a smaller address range: firewall-cmd --zone=external --permanent --add-rich-rule='rule family="ipv4" source address="116.31.0.0/16" drop' --- this will be listed in iptables -nvL Code:
Chain IN_external_deny (1 references) |
Snagged again by my own lack of RTFM ----
The behavior is explained in the man page: Code:
Permanent Options and now iptables -nvL reports all xxx.0.0.0/8 drops and blocks. |
You can just do a --reload if you don't want to lose connections. --complete-reload will dump the states.
|
All times are GMT -5. The time now is 02:58 AM. |