I didn't know that /etc/firewalld/direct.xml file exists. And I didn't know that rules added through the direct interface can be made permanent.
The thing is that I'm preparing for the RHCE (RHEL 7) exam. And there aren't any study guides out there for this version yet. So the first place I go for information is the official Red Hat documentation for RHEL 7 [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/].
Here [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm...] in the second paragraph of the 'Understandin the Direct Interface' section of the 'Security Guide'. It says that 'The direct interface mode is intended for services or applications to add specific firewall rules during run time. The rules are not permanent and need to be applied every time after receiving the start, restart or reload message from firewalld using D-BUS.'
Then later in the same document [https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm...] the note under the 'Configuring the Firewall Using the Command Line Tool, firewall-cmd' says that 'In order to make a command permanent or persistent, add the --permanent option to all commands apart from the --direct commands (which are by their nature temporary).'
Now I see that those statements are either outdated or simply incorrect. I'll take a closer look on the direct interface. Thanks for pointing it out for me. I think that is what I need for limiting outgoing traffic.
Rufe On 10/13/2014 7:25:50 AM, Jiri Popelka jpopelka@redhat.com wrote: On 10/06/2014 07:41 PM, Rufe Glick wrote:
While skimming through this mailing list's archives I saw that this question was raised a couple of times. And last time in August of this year Jiri reiterated that "So far we don't handle outbound traffic in firewalld".
So if I still need to limit outgoing traffic what is the best way to proceed? I could probably use the direct interface. But then I'll have to write a daemon that'll handle reload\reboot events of firewalld to re-add the rules. That sounds a bit complicated.
Have you known that 'direct' configuration can be stored in /etc/firewalld/direct.xml ? see firewalld.direct man page. Or you can use firewall-cmd like for example: $ firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p tcp -m tcp --sport 1234 -j DROP
Or perhaps I don't understand your use case.
The only solution I see is to disable the firewalld service altogether and fall back to iptables service.
Any other ideas?
Also in my opinion a full value firewall solution has to have an ability to limit outgoing traffic. Are there plans to incorporate this functionality any time soon?
None that I know of.
-- Jiri
On 10/13/2014 04:59 PM, Rufe Glick wrote:
Now I see that those statements are either outdated or simply incorrect.
Yes, they are outdated and our documentation team already knows about that. I've just poked them so it'll hopefully be updated soon.
-- Jiri
firewalld-users@lists.fedorahosted.org