2

To replicate the problem have two different servers with their own IP addresses. Now start pinging one of them from the second one, and while still pinging block the first server's IP on the second one with one of two commands:

firewall-cmd -q --permanent --add-rich-rule="rule family='ipv4' source address=IP-ADDRESS-HERE reject"

or

firewall-cmd --permanent --zone=drop --add-source=IP-ADDRESS-HERE

and then whichever of the following command you run:

firewall-cmd --reload
firewall-cmd --complete-reload
systemctl restart firewalld

the pinging never stops. Only if you interrupt the pinging process on the first server and try again, then it fails.

I probably am hitting the same issue discussed on Why firewalld doesn't apply my drop rule?, but unfortunately that one didn't have any good answer.

I tried lot's of different things, but can't get the originating pinging source to be dropped immediately. In other words, if someone is spotted attacking your server and you would immediately block their IP, your firewalld can not do it at the spot and that worries me.

How to get firewalld to block an IP address immediately at the spot?

Sasha
  • 21
  • 3

2 Answers2

0

At the very top of the default ruleset, there is a rule which automatically allows inbound packets belonging to a known packet stream, or an established connection. This means you can receive inbound responses without having to manually allow them in the firewall, but it also means that active connections will remain allowed even if firewalld inserts a later rule blocking them.

You can use the conntrack tool to inspect the known states and delete them individually, by protocol or by source IP address.

u1686_grawity
  • 426,297
  • 64
  • 894
  • 966
  • 1
    Thank you very much for the information, I will test `conntrack` tool. However, I would like to still believe there is some easy way of killing the current sessions. Because, let's say, there is an ongoing attack and some kind of malicious action originating from an IP address. And I believe the system should be able to promptly close that session. On Fedora 7.x based systems you could just install one of firewalls running over IP tables, let's say Advanced Policy Firewall, and shoot the `apf -d OFENDING-IP-ADDRESS` then it would immediately kill the offending session. Should be a way on 8.x. – Sasha Jul 27 '20 at 04:33
0

You need to install conntrack and drop established connections:

yum install conntrack-tools
conntrack -F
sekrett
  • 111
  • 3