Questions[firewall-cmd](server)

I wish to block all outgoing connections from a particular user user after they have ssh'd into my server (running RHEL 7.4), that is, user should not be able to ssh into/ping other servers on the network.

I initially configured the following firewall-cmd rule, and it was working.

firewall-cmd --direct --permanent --add-rule ipv4 filter OUTPUT 0 -m owner --uid-owner user -j DROP

However, user now needs to access Jupyter Notebook also running on the same server (http://localhost:8888), but was unable to. There was an error about the websocket. Once the firewall rule above was removed, user can access the Notebook.

I'm not sure why user was unable to access localhost, because I thought the rule only blocks outgoing connections.

How do I allow user to access localhost on any port, or a specific port range, while still blocking network access to everywhere else?

I signed up with a new ISP and they dont provide me with a external IPv4 address. Ive set up a virtual server (S) (that has an address) to relay all my stuff to my box at home (B) using a wireguard tunnel.

On (S) I configured:

sysctl -w net.ipv4.ip_forward=1
firewall-cmd --zone=external --add-forward-port=port=<EXTERNAL PORT>:proto=<PROTOCOL>:toport=<INTERNAL PORT>:toaddr=<INTERNAL IP>
firewall-cmd --zone=external --add-masquerade
firewall-cmd --zone=external --add-port=<EXTERNAL PORT>/<PROTOCOL>

ON (B) I configured:

firewall-cmd --zone=internal --add-port=<INTERNAL PORT>/<PROTOCOL>

The setup works quite well. All connection arrive at (B), but the source address is (obviously) masqueraded. Just removing the masquerading via firewall-cmd --zone=external --remove-masquerade on (S) does not work. My question now is: How can a achieve a similar setup with firewalld, that does not masquerade the source IP addresses, such that I can still analyze the sources on (B)?

Thanks in advance!

On a system managed by firewalld it is possible to redirect incoming traffic on 443 to 8443 so the process listening doesn't have to run as root to bind to 443 which requires root.

firewall-cmd --add-forward-port=port=443:proto=tcp:toport=8443

I attempted to use

00011 fwd 127.0.0.1,8443 tcp from any to me 443

but it didn't work.

What is the IPFW equivalent of this firewall-cmd command?

What's the difference between "firewall-cmd --reload" and "systemctl restart firewalld"?

Hope everyone who will answer this to have a great day!

I have decided to do a bit of spring cleaning, and am doing a refresh of some of my underlying infrastructure.

One of the critical components I am overhauling is the Network Gateway server. I updated my Test Environment (which is an identical, but lower power copy of my Production Environment), and all worked well, but when I applied the same to my Production system, the firewall-cmd rules do not persist between reboots.

I have to run the following commands at startup:

# firewall-cmd --remove-interface=eth0 --zone=public
# firewall-cmd --remove-interface=eth1 --zone=public
# firewall-cmd --remove-interface=eth0 --zone=public --permanent
# firewall-cmd --remove-interface=eth1 --zone=public --permanent
# firewall-cmd --add-interface=eth0 --zone=external
# firewall-cmd --add-interface=eth1 --zone=internal
# firewall-cmd --add-interface=eth0 --zone=external --permanent
# firewall-cmd --add-interface=eth1 --zone=internal --permanent
# firewall-cmd --complete-reload

At which point normal service is resumed. When I run # firewall-cmd --list-all-zones after reboot, both of the interfaces have left the internal and external zones, and have returned to the public zone.

Can someone shed some light on why these settings are not persisting?