I want to test failure modes in some software by blocking DNS to a specific DNS server.
I tried the following:
# firewall-cmd --zone public --add-rich-rule='rule family="ipv4" destination address="10.11.12.99" port port="53" protocol="udp" drop' --timeout=60
but it has no effect. Running dig:
dig @10.11.12.99 -t A as2.msds.corp
… unexpectedly successful:
as2.msds.corp. 1200 IN A 10.11.12.88
Googling around doesn’t turn up any obvious answers. I guess blocking outgoing traffic is not a common scenario.
Is firewalld just controlling iptables? So can I just edit iptables directly? It seems like firewall-cmd is deliberately simplified to be easier but only for simple things it seems.
Can someone provide a pointer to some documentation that explains how firewalld actuall works.
Incidentally, before I did anything, # iptables -nvL
listed all sorts of rules like LIBVIRT and so on. But after doing # firewall-cmd --reload
they disappeared. But the firewalld rules are still in effect.
Sounds like maybe there is an order to the rules that matters? How do I insert the rule to be higher than all existing rules?
Just trying to make sense of this all.
This is on rocky 8.9
UPDATE:
As usual I figured this out immediately after posting. For the googlers …
It seems firewalld is not ideal for blocking outbound. In my case I found that using iptables directly works as expected:
# iptables -I OUTPUT -d 10.11.12.99 -p udp --dport 53 -j DROP
unblock with:
# iptables -D <same params>