Block connection in firewall -
Rick Stevens
ricks at alldigital.com
Fri Feb 12 20:30:27 UTC 2016
On 02/12/2016 12:10 PM, Rick Stevens wrote:
> On 02/12/2016 11:10 AM, Bob Goodwin wrote:
>>
>> I have been messing with a firewall file and added the following:
>>
>> config rule
>> option src lan
>> option src_ip 192.168.1.7
>> option dest wan
>> option target REJECT
>>
>> It works to prevent internet access from that ip. However I can still
>> ping 8.8.8.8 which leaves wondering if that is adequate isolation. Can
>> that be improved on?
>>
>> I have never done anything with iptables and I am pushing my skill level
>> in this but it is encouraging to have something actually work ...
>
> Not sure which firewall you're using. Judging by your description of its
> behavior, the odds are that the (unless otherwise specified) default
> protocol the rules affect is TCP. If that's the case, yes, your rules
> would prevent TCP-based activity (telnet, ssh, web, etc.) from working,
> but would NOT prevent UDP-based traffic (normal DNS queries for
> instance) or ICMP-based traffic (such as ping, traceroute, etc.).
>
> There's a whole lot of protocols that come under the "IP" umbrella.
> Dump out the content of /etc/protocols if you want to see a (fairly
> complete, but not exhaustive) list of what's out there.
After more digging around, it appears you're using firewalld-
richlanguage stuff. In that case, by default it affects TCP and UDP, but
not ICMP. You could add another rule for ICMP:
config rule
option src lan
option src_ip 192.168.1.7
option dest wan
option protocol icmp
option target REJECT (or DROP)
and that should block ping as well.
----------------------------------------------------------------------
- Rick Stevens, Systems Engineer, AllDigital ricks at alldigital.com -
- AIM/Skype: therps2 ICQ: 226437340 Yahoo: origrps2 -
- -
- You possess a mind not merely twisted, but actually sprained. -
----------------------------------------------------------------------
More information about the users
mailing list