Home / server / Questions / 1081206
Accepted
Adrian Cornish
Asked: 2021-10-21 18:23:20 +0800 CST

How to block a internal host from the internet with firewalld by MAC address

  • 772

I am trying to stop some hosts on the network from going outside/calling home.

So I have 2 zones.

[root@eagle ~]# firewall-cmd --get-active-zones 
external
  interfaces: enp2s0
internal
  interfaces: eno1

With masquerading on for external

[root@eagle ~]# firewall-cmd --zone=internal --query-masquerade
no
[root@eagle ~]# firewall-cmd --zone=external --query-masquerade
yes

And I have a rich rule to drop data for the MAC address I want

[root@eagle ~]# firewall-cmd --zone=external --list-rich-rules 
rule source mac="40:16:3B:63:72:E0" drop

But it doesn't seem to be working. Obvious things I checked are adding them as permanent and making sure I reloaded the rules.

Any help appreciated

fedora masquerade firewalld

1 Answers

  1. Best Answer

    You are adding the MAC rule on external zone, which is enp2s0. The ethernet frames sent out via that interface have MAC address of enp2s0 as their source MAC address.

    If you want to match devices in the internal network, you need to add MAC matching rules in the internal zone, which is using interface eno1, and sees the client MAC addresses as the source MAC address when it receives frames from clients.

    This means that you need to add destination IP address matching in the rule too.

    • 1