On 12/07/16 18:20, Jeff White wrote: > On CentOS 7 with firewalld I have a box with numerous > interfaces acting as a NAT gateway. This works but I > noticed that it routes/forwards traffic not just from my > internal zone to external zone but also between interfaces > within the internal zone. How can I prevent that traffic? > > I've tried adding direct and rich rules to deny the > traffic but it doesn't work. Direct: > > firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -s > 10.110.4.0/22 -d 10.110.0.0/22 -j REJECT > > That command works, and I see it in `iptables -L` but > traffic is still allowed. Rich: > > # firewall-cmd --zone=trusted --add-rich-rule='rule > family=ipv4 source address=10.110.4.0/22 destination > address=10.110.0.0/22 reject' > Error: INVALID_RULE: destination action > > I can't find any explanation of what that error means. > So, how do you tell firewalld to stop forwarding traffic > between interfaces? > > > > # firewall-cmd --get-active-zones > public > interfaces: ens161 ens193 > trusted > interfaces: ens192 ens224 ens256 lo > > # firewall-cmd --list-all > public (default, active) > interfaces: ens161 ens193 > sources: > services: dhcpv6-client ssh > ports: > masquerade: yes > forward-ports: > icmp-blocks: > rich rules: > yes, to me too it sort of defines basic logic - one would expect to be able with a "rich rule" to block/ban a host (actually there are quite few articles on the net stating it should be doing that) public (active) interfaces: em3 sources: services: dhcpv6-client ssh ports: masquerade: yes forward-ports: icmp-blocks: rich rules: rule family="ipv4" source address="192.168.2.0/24" reject yet host from 192.168.2.0/24 (which is firewalld's zone work) are able to masquerade and access all (in this case whole Internet) behind em3 interface. It smells like a bug to me.