Cheers for that !
I was just looking into setting up a systemd service to apply those ntf commands as part of the boot process when you replied so I dropped that and had a look at the --direct
option: it works.
So, for anyone who’s interested, the commands equivalent to those listed above (more or less) are ;
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -m owner --gid-owner no-internet -j LOG --log-prefix 'group=no-internet'
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -m owner --gid-owner no-internet -j DROP
firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 0 -m owner --gid-owner no-internet -j LOG --log-prefix 'group=no-internet'
firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 1 -m owner --gid-owner no-internet -j DROP
those commands won’t put the rules into effect immediately but they should be post reboot (?,not tested)… anyway, for now, next do…
firewall-cmd --reload # this activates the rules
and rules definitely in effect post reboot (tested)
As executed RL 8.5 ;
[root@localhost bob]# firewall-cmd --direct --get-all-rules # to show any existing
[root@localhost bob]# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -m owner --gid-owner no-internet -j LOG --log-prefix 'group=no-internet'
success
[root@localhost bob]# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -m owner --gid-owner no-internet -j DROP
success
[root@localhost bob]# firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 0 -m owner --gid-owner no-internet -j LOG --log-prefix 'group=no-internet'
success
[root@localhost bob]# firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 1 -m owner --gid-owner no-internet -j DROP
success
[root@localhost bob]# firewall-cmd --reload
then test working by running ping as group no-internet with sg
command ;
[root@localhost bob]# sg no-internet "ping 192.168.1.10"
PING 192.168.1.10 (192.168.1.10) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
^C
--- 192.168.1.10 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2040ms
and without the group set …
[root@localhost bob]# ping 192.168.1.10
PING 192.168.1.10 (192.168.1.10) 56(84) bytes of data.
64 bytes from 192.168.1.10: icmp_seq=1 ttl=127 time=1.01 ms
64 bytes from 192.168.1.10: icmp_seq=2 ttl=127 time=0.652 ms
64 bytes from 192.168.1.10: icmp_seq=3 ttl=127 time=0.725 ms
^C
--- 192.168.1.10 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2017ms
rtt min/avg/max/mdev = 0.652/0.795/1.008/0.153 ms
view logs
[root@localhost bob]# cat /var/log/messages | grep 'group=no-internet'
Jan 14 21:40:10 localhost kernel: group=no-internetIN= OUT=enp1s0 SRC=192.168.122.52 DST=192.168.1.10 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=38025 DF PROTO=ICMP TYPE=8 CODE=0 ID=4397 SEQ=1
Jan 14 21:40:11 localhost kernel: group=no-internetIN= OUT=enp1s0 SRC=192.168.122.52 DST=192.168.1.10 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=38782 DF PROTO=ICMP TYPE=8 CODE=0 ID=4397 SEQ=2
Jan 14 21:40:12 localhost kernel: group=no-internetIN= OUT=enp1s0 SRC=192.168.122.52 DST=192.168.1.10 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=39024 DF PROTO=ICMP TYPE=8 CODE=0 ID=4397 SEQ=3
[root@localhost bob]#
This can all be used with a bit more jiggery-pokery to run keepassxc without network access without having to build it - which is no trivial task: one major fly in the ointment being a Ruby dependency that isn’t obviously available. There’s another topic open on the keepassxc question I’ll update/link to here later.
Thanks again !