How can I configure firewalld to block all outgoing traffic except for specific ports while allowing localhost to access any of its own local ports?
The answer, I found by some trial and error, because searching for this exact (possibly odd) scenario on Google or elsewhere was fruitless:
# Allow all outbound traffic from localhost to localhost
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -o lo -j ACCEPT
This allows local services to communicate with any other local services (even if the IP assigned to the target services are something other than 127.0.0.1).
Related videos on Youtube
John T.
Updated on September 18, 2022Comments
-
John T. over 1 year
I'll confess at the start that I'm asking this question only after finding the answer and wanting to share it with everyone else. If this is bad form, then my sincere apologies and I'm open to the suggestions on the right way to share this hard-won information. If this is a repeat, please do close it and point visitors to the original question.
So, how can I configure firewalld (in my case, using CentOS 7.6) to block all outgoing traffic except for specific ports while also allowing localhost to access any of its own local ports?
I started out with this:
# First, allow outbound traffic for all allowed inbound traffic firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow outbound HTTP, HTTPS, DNS firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -p icmp -m icmp --icmp-type=ping -j ACCEPT firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 53 -j ACCEPT firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -p udp --dport 53 -j ACCEPT firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 80 -j ACCEPT # Block all other outbound traffic firewall-cmd --direct --add-rule ipv4 filter OUTPUT 2 -j DROP
And this all worked fine for locking down a server from getting to anything but websites and DNS.
But any local services trying to get to other local services via localhost network communication were blocked. Worse still, even with firewalld configured to log dropped packets, outbound drops were not being logged.
-
flpgdt about 5 yearsThanks for this! I'm using a centos as firewall as well but was wondering how to allow all outgoing connections from my "internal" zone. Do you think this modification of your rule would do the trick?
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -o eth2 -j ACCEPT
(whereeth2
is myinternal
interface) Would you know a way to apply this rule over the zone instead? -
John T. about 5 yearsI am very, very far from an expert on the subject, however your modification looks like it should work to allow outbound access to anything routed through your
eth2
network interface. Unfortunately, direct rules cannot be associated with zones, as far as I understand it, because they are essentially equivalent to setting up rules using the oldiptables
methods.