LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   CentOS (https://www.linuxquestions.org/questions/centos-111/)
-   -   Firewalld drop/block large ip address range (https://www.linuxquestions.org/questions/centos-111/firewalld-drop-block-large-ip-address-range-4175598392/)

Sum1 01-27-2017 02:24 PM
Firewalld drop/block large ip address range
 
CentOS 7

When I execute this drop rule with firewalld: firewall-cmd --zone=external --permanent --add-rich-rule='rule family="ipv4" source address="116.0.0.0/8" drop' ---- It isn't reported in iptables -nvL

But if I block a smaller address range: firewall-cmd --zone=external --permanent --add-rich-rule='rule family="ipv4" source address="116.31.0.0/16" drop' --- this will be listed in iptables -nvL

Code:
Chain IN_external_deny (1 references)
 pkts bytes target    prot opt in    out    source              destination       
 2605  156K DROP      all  --  *      *      116.31.0.0/16        0.0.0.0/0
Is there a firewalld/iptables range limit to public internet address blocking?

Sum1 01-27-2017 02:35 PM
Snagged again by my own lack of RTFM ----

The behavior is explained in the man page:

Code:
Permanent Options
      --permanent
      . . . These changes are not effective immediately, only after service restart/reload or system reboot. Without the --permanent
          option, a change will only be part of the runtime configuration.
firewall-cmd --complete-reload
and now iptables -nvL reports all xxx.0.0.0/8 drops and blocks.

szboardstretcher 01-27-2017 02:38 PM
You can just do a --reload if you don't want to lose connections. --complete-reload will dump the states.


All times are GMT -5. The time now is 02:58 AM.