[CentOS] How to block routing/forwarding with firewalld

On 12/07/16 18:20, Jeff White wrote:
> On CentOS 7 with firewalld I have a box with numerous 
> interfaces acting as a NAT gateway.  This works but I 
> noticed that it routes/forwards traffic not just from my 
> internal zone to external zone but also between interfaces 
> within the internal zone.  How can I prevent that traffic?
>
> I've tried adding direct and rich rules to deny the 
> traffic but it doesn't work.  Direct:
>
> firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -s 
> 10.110.4.0/22 -d 10.110.0.0/22 -j REJECT
>
> That command works, and I see it in `iptables -L` but 
> traffic is still allowed.  Rich:
>
> # firewall-cmd --zone=trusted --add-rich-rule='rule 
> family=ipv4 source address=10.110.4.0/22 destination 
> address=10.110.0.0/22 reject'
> Error: INVALID_RULE: destination action
>
> I can't find any explanation of what that error means.  
> So, how do you tell firewalld to stop forwarding traffic 
> between interfaces?
>
>
>
> # firewall-cmd --get-active-zones
> public
>   interfaces: ens161 ens193
> trusted
>   interfaces: ens192 ens224 ens256 lo
>
> # firewall-cmd --list-all
> public (default, active)
>   interfaces: ens161 ens193
>   sources:
>   services: dhcpv6-client ssh
>   ports:
>   masquerade: yes
>   forward-ports:
>   icmp-blocks:
>   rich rules:
>
yes, to me too it sort of defines basic logic - one would 
expect to be able with a "rich rule" to block/ban a host 
(actually there are quite few articles on the net stating it 
should be doing that)

public (active)
   interfaces: em3
   sources:
   services: dhcpv6-client ssh
   ports:
   masquerade: yes
   forward-ports:
   icmp-blocks:
   rich rules:
         rule family="ipv4" source address="192.168.2.0/24" 
reject

yet host from 192.168.2.0/24 (which is firewalld's zone 
work) are able to masquerade and access all (in this case 
whole Internet) behind em3 interface.
It smells like a bug to me.