Firewall Block Outgoing UDP 53 Specific IP

I want to test failure modes in some software by blocking DNS to a specific DNS server.

I tried the following:

# firewall-cmd --zone public --add-rich-rule='rule family="ipv4" destination address="10.11.12.99" port port="53" protocol="udp" drop' --timeout=60

but it has no effect. Running dig:

dig @10.11.12.99 -t A as2.msds.corp
… unexpectedly successful:
as2.msds.corp. 1200 IN A 10.11.12.88

Googling around doesn’t turn up any obvious answers. I guess blocking outgoing traffic is not a common scenario.

Is firewalld just controlling iptables? So can I just edit iptables directly? It seems like firewall-cmd is deliberately simplified to be easier but only for simple things it seems.

Can someone provide a pointer to some documentation that explains how firewalld actuall works.

Incidentally, before I did anything, # iptables -nvL listed all sorts of rules like LIBVIRT and so on. But after doing # firewall-cmd --reload they disappeared. But the firewalld rules are still in effect.

Sounds like maybe there is an order to the rules that matters? How do I insert the rule to be higher than all existing rules?

Just trying to make sense of this all.

This is on rocky 8.9

UPDATE:

As usual I figured this out immediately after posting. For the googlers …

It seems firewalld is not ideal for blocking outbound. In my case I found that using iptables directly works as expected:

# iptables -I OUTPUT -d 10.11.12.99 -p udp --dport 53 -j DROP

unblock with:

# iptables -D <same params>

2 Likes