Join Log in
Score:1
Adrian Cornish avatar Server

How to block a internal host from the internet with firewalld by MAC address

ph flag
Adrian Cornish

I am trying to stop some hosts on the network from going outside/calling home.

So I have 2 zones.

[root@eagle ~]# firewall-cmd --get-active-zones 
external
  interfaces: enp2s0
internal
  interfaces: eno1

With masquerading on for external

[root@eagle ~]# firewall-cmd --zone=internal --query-masquerade
no
[root@eagle ~]# firewall-cmd --zone=external --query-masquerade
yes

And I have a rich rule to drop data for the MAC address I want

[root@eagle ~]# firewall-cmd --zone=external --list-rich-rules 
rule source mac="40:16:3B:63:72:E0" drop

But it doesn't seem to be working. Obvious things I checked are adding them as permanent and making sure I reloaded the rules.

Any help appreciated

102
0 + 0
djdomi avatar
za flag
djdomi
I believe it might be a good question, but don't you think you should add some information what kind of firewall you are using? — Just as Example, you're telling I'm driving a Car — no one will know which car your driving (Or is that a secret?) :-)
1
Reply
Adrian Cornish avatar
ph flag
Adrian Cornish
If you mean the backend for firewalld its nftables.
0
Reply
Score:1
avatar Server
us flag
Tero Kilkanen

You are adding the MAC rule on external zone, which is enp2s0. The ethernet frames sent out via that interface have MAC address of enp2s0 as their source MAC address.

If you want to match devices in the internal network, you need to add MAC matching rules in the internal zone, which is using interface eno1, and sees the client MAC addresses as the source MAC address when it receives frames from clients.

This means that you need to add destination IP address matching in the rule too.

0 + 0
Adrian Cornish avatar
ph flag
Adrian Cornish
If I add it to the internal zone, then won't that mean it is unable to communicate with anything else on the LAN too. Would there be an equivalent to iptables POSTROUTING in nftables to add a rule there?
0
Reply
us flag
Tero Kilkanen
LAN side traffic is switched on L2, it doesn't go through IPTables. If you run a bridge on the box bridging different LAN side interfaces, the bridge is still assigned to internal zone, so traffic still flows.
1
Reply
Adrian Cornish avatar
ph flag
Adrian Cornish
Thanks for your help. I moved the MAC rule to internal - but I wasn't clear on what you meant by dest ip - I want to block all outgoing. I cut all connection with `conntrack` but 40:16 is still getting out. `15:27:20.930195 40:16:3b:63:72:e0 > 64:00:6a:57:f8:1f, ethertype IPv4 (0x0800), length 1514: 192.168.124.61.46524 > 52.20.197.208.443: Flags [.], seq 543929265:543930713, ack 3518997520, win 331, options [nop,nop,TS val 36061421 ecr 1532501099], length 1448`
0
Reply
us flag
Tero Kilkanen
The packets are visible on the internal interface that you used when you run TCPDump. The packets shouldn't be visible on the outgoing interface.
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.