Firewalld - how to block ip address?

[wojtekdublin]

I have tried bock public ip address (www.google.com) using firewalld rich-rule flag:

sudo firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address="212.77.98.9" reject'
sudo firewall-cmd --reload

However after adding the rule I can still access www.google.com from browser and ping the ip address.Does anyone know how to fix this issue?

Thanks in advance.

 

[f33dm3bits]

You should use destination instead of source since you are trying to block outgoing connections to that ip adress and not incoming connections from that ip address.

 

[wojtekdublin]

As advised I have tried the following command to block the destination IP address:

firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" destination address="X.X.X.X" reject'

Output of the command 'firewall-cmd --list-all' for the relevant part is:
...
rich rules:
rule family="ipv4" source address="X.X.X.X" reject
rule family="ipv4" destination address="X.X.X.X" reject

However the IP address has not been blocked. I am still able to access the website with its IP address.

 

[Condobloke]

Does this have any meaning for you ??....this is out of my knowledge area....just a guess.

HERE

 

[f33dm3bits]

According to the richrule documentation source and destination should be setup in the same rule. Try something like this.

firewall-cmd --permanent --zone=FedoraServer --add-rich-rule='rule family="ipv4" source address=x.x.x.x destination address="212.77.98.9" reject'

Replacing x.x.x.x with your LAN network.
Then reload firewalld.

firewall-cmd --reload

If that doesn't work you are probably better off setting up nftables directly because firewalld is just a front-end for nftables. The way firewalld is setup with zones it's better usecase is with laptops or workstations and for server setups it's better to use nftables directly.