I need to be able to temporarily cut off the source of network slowdowns.
What I used to do: Router with 2 x NICs running slackware 14. Execute iptraf-ng, choose IP Network Monitor and sort by Byte Count. The sorted screen always seemed a bit confusing but I could usually pluck a couple of IP addresses with racing byte counts and cut all traffic to them using an iptables rule. Then if I wanted to identify the computer or device, I’d go into the dhcpd.leases file and look for the ip address and the corresponding device hostname. It was a bit of a pain, but it worked.
Now: Router with 2 x NIC’s running CentOS 7. Using systemd and firewalld with 2 zones: external (internet-facing) and internal (LAN-facing). Now when I try the same thing using firewall-cmd rich rules, it won’t work.
Example:
[root@hello ~]# firewall-cmd --zone=external --list-rich-rules rule family="ipv4" source address="10.10.1.73/24" drop rule family="ipv4" source address="40.97.126.210" drop rule family="ipv4" source address="10.10.1.73/32" drop rule family="ipv4" source address="40.97.126.210/32" drop
and
[root@hello ~]# firewall-cmd --zone=internal --list-rich-rules rule family="ipv4" source address="10.10.1.73/24" drop rule family="ipv4" source address="40.97.126.210" drop rule family="ipv4" source address="10.10.1.73/32" drop
It didn’t work. The traffic continued to burst away for another hour before stopping. The address (40.97.126.210) belongs to Microsoft so I’m not concerned about publishing it.
What am I doing wrong with firewalld rich rules and how do I properly drop/terminate traffic to/from a specific source on the LAN?
Current command - ADD rich rule to drop any traffic in zone "internal" from source ip address 10.10.1.125:
firewall-cmd --permanent --zone=internal --add-rich-rule='rule family=ipv4 source address=10.10.1.125/24 drop' firewall-cmd --reload
REMOVE the same rich rule above:
firewall-cmd --permanent --zone=internal --remove-rich-rule='rule family=ipv4 source address=10.10.1.125/24 drop' firewall-cmd --reload
Thank you for reading.
A bit embarrassing,I answered my own question almost a year ago on another forum. Apologies for the extra mail --
Solution: firewalld-cmd --complete-reload
-
Mike