RFE: Add a way to filter outgoing traffic #32
Comments
|
I also need a way to change OUTPUT rules for zones. In particular, I have some wifi connections which are tethered / metered data connections, and for these, I would prefer to add some output rules that block all traffic except traffic from a special "internet" gid (using the iptables 'owner' module). Furthermore, I want the rules only to be active when I am using a connection which is designated as being in the 'metered' zone. By the way, I notice that this issue is named [GUI]... -- does this mean that what I describe here is already possible using firewall-cmd? Direct rules seem not to be the right thing, since I want the rules to only be active when connected to certain connections. |
|
I didn't test it on firewall-cmd. |
|
Output filtering is planned for one of the next releases. There is already support for output filtering with direct rules, though. Since 0.4.1.2 direct rules can be reliably added to zones. |
|
Does this milestone tag means we will get outgoing rules support for version 0.5 ? Thanks |
|
Yes, that is the plan. |
|
It might be good to get information about the needs of users, administrators and projects for outgoing filtering. |
|
I think most users would like "firewall-cmd --add-interface=lo" or "echo 'ZONE=public' >> ifcfg-lo" to JUST-WORK™ :). |
|
@BenjaminLefoul Please explain what you want to achieve with that. |
|
Most sysadmins I work with typically have a web service of sorts running on a non-standard port and do a port forward with firewalld. By adding "lo" to the zone, they expect a "curl http://localhost/somewebapp" to work (without specifying the port). If that is impossible, I would be glad to refer them to your explanation. |
|
O.k. you want to have support for transparent proxies. The current implementation of port forwarding is not allowing this. There is an other request to support the REDIRECT target that will enable this. This is #78 |
|
Outgoing filtering is definetly must have for servers. |
|
Ideally, being able to put binaries to groups and block outgoing packets to certain destination to said group would be nice, but it would involve more than iptables alone and I don't know if it's out of scope to use cgroups and such in addition to iptables to get that result |
|
not sure if there is simpler solution, but for services you could use iptables --uuid feature to filter outgoing by program, but thats quite ugly, maybe cgroups has some cleaner solution for it, havent played with them much |
|
Hi, could someone please provide an example how one can amend default zone rules to constrain outgoing traffic using direct rules? Documentation is rather useless on that topic |
|
Hi. My use case is perhaps a bit specific, but I'm looking into using zones + direct rules to drop most outgoing traffic when on public networks, and once a VPN connection is established, outgoing traffic can go through that interface freely. This would allow me to prevent applications on my system from making outgoing connections during the short window between the Wi-Fi connection being established and connecting to the VPN. It really seems that all the pieces are already there for this, but only for incoming connections. Above @t-woerner mentions:
However, I'm unable to find documentation on this. I see that I could add direct rules for a zone's chains, but so far, these only seem to be created for INPUT. Is there a way of applying direct rules for a specific zone on the OUTPUT chain? |
|
Hi, that's exactly the usecase I am attempting to solve here 👍 |
|
With a few minutes of messing around, I managed to get a proof-of-concept of this working on my local copy with a minimal set of changes: https://github.com/t-woerner/firewalld/compare/master...etcinit:etcinit/output-zones?expand=1. It's a slight hack but it sort of gets the job done. It mainly causes firewalld to also create zone chains for the OUTPUT chain, which I can then customize with direct rules. With my Wi-Fi card assigned to the
I'm new to firewalld/iptables/python but I hope this helps! |
|
@etcinit: I have merged your patch into the new output-filtering branch (https://github.com/t-woerner/firewalld/tree/output-filtering). Additionally I have added another patch to add some more chains that are needed for source bindings in zones. |
|
@t-woerner: For those of us that are less comfortable messing around with the local firewall code - can you predict when 0.5 will be released? |
|
@jameshalgh The plan is to get to 0.5 within the next two to three months depending on other work load. If there will be help, then it might be a lot faster. |
|
Output filtering is part of BGP-38, to prevent "bad" traffic from leaving a server or similar device. The idea is that you disallow sending packets out that are not part of your own network, or part of the public Internet. Usually this is the task of an edge router, but defense in depth would call for intermediate routers to also implement the outgoing part of BGP-38. |
erig0
changed the title
|
My two practical issues with firewalld:
|
Fixes: firewalld#2 Fixes: firewalld#32 Fixes: rhbz 1367528 Fixes: rhbz 1492722
Fixes: firewalld#2 Fixes: firewalld#32 Fixes: rhbz 1367528 Fixes: rhbz 1492722
Fixes: firewalld#2 Fixes: firewalld#32 Fixes: rhbz 1367528 Fixes: rhbz 1492722
Fixes: firewalld#2 Fixes: firewalld#32 Fixes: rhbz 1367528 Fixes: rhbz 1492722
Fixes: firewalld#2 Fixes: firewalld#32 Fixes: rhbz 1367528 Fixes: rhbz 1492722
Fixes: firewalld#2 Fixes: firewalld#32 Fixes: rhbz 1367528 Fixes: rhbz 1492722
Fixes: firewalld#2 Fixes: firewalld#32 Fixes: rhbz 1367528 Fixes: rhbz 1492722
Currently there is no easy way to filter outgoing traffic. It would be nice to add this functionality. I would like to block outgoing traffic by default except for some critical services like dns, web browser, email client, package manager.
The text was updated successfully, but these errors were encountered: