Drop/Terminate Data To/from Source Using Firewalld Rich Rules

Home » CentOS » Drop/Terminate Data To/from Source Using Firewalld Rich Rules
CentOS 1 Comment

I need to be able to temporarily cut off the source of network slowdowns.

What I used to do:
Router with 2 x NICs running slackware 14. Execute iptraf-ng, choose IP Network Monitor and sort by Byte Count. The sorted screen always seemed a bit confusing but I could usually pluck a couple of IP addresses with racing byte counts and cut all traffic to them using an iptables rule. Then if I wanted to identify the computer or device, I’d go into the dhcpd.leases file and look for the ip address and the corresponding device hostname. It was a bit of a pain, but it worked.

Now:
Router with 2 x NIC’s running CentOS 7. Using systemd and firewalld with 2 zones: external (internet-facing)
and internal (LAN-facing). Now when I try the same thing using firewall-cmd rich rules, it won’t work.

Example:

[root@hello ~]# firewall-cmd –zone=external –list-rich-rules rule family=”ipv4″ source address=”10.10.1.73/24″ drop rule family=”ipv4″ source address=”40.97.126.210″ drop rule family=”ipv4″ source address=”10.10.1.73/32″ drop rule family=”ipv4″ source address=”40.97.126.210/32″ drop

and

[root@hello ~]# firewall-cmd –zone=internal –list-rich-rules rule family=”ipv4″ source address=”10.10.1.73/24″ drop rule family=”ipv4″ source address=”40.97.126.210″ drop rule family=”ipv4″ source address=”10.10.1.73/32″ drop

It didn’t work. The traffic continued to burst away for another hour before stopping. The address (40.97.126.210) belongs to Microsoft so I’m not concerned about publishing it.

What am I doing wrong with firewalld rich rules and how do I properly drop/terminate traffic to/from a specific source on the LAN?

Current command –
ADD rich rule to drop any traffic in zone “internal” from source ip address 10.10.1.125:

firewall-cmd –permanent –zone=internal –add-rich-rule=’rule family=ipv4 source address=10.10.1.125/24 drop’
firewall-cmd –reload

REMOVE the same rich rule above:

firewall-cmd –permanent –zone=internal –remove-rich-rule=’rule family=ipv4 source address=10.10.1.125/24 drop’
firewall-cmd –reload

Thank you for reading.

One thought on - Drop/Terminate Data To/from Source Using Firewalld Rich Rules

  • A bit embarrassing,I answered my own question almost a year ago on another forum. Apologies for the extra mail