Hide Forgot
Description of problem: is this not a bug?: yes, to me too it sort of defines basic logic - one would expect to be able with a "rich rule" to block/ban a host (actually there are quite few articles on the net stating it should be doing that) public (active) interfaces: em3 sources: services: dhcpv6-client ssh ports: masquerade: yes forward-ports: icmp-blocks: rich rules: rule family="ipv4" source address="192.168.2.0/24" reject yet host from 192.168.2.0/24 (which is firewalld's zone work) are able to masquerade and access all (in this case whole Internet) behind em3 interface. It smells like a bug to me. Version-Release number of selected component (if applicable): 0.3.9 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
The external address 192.168.2.0/24 will be blocked, not an internal. There is a solution: Masquerade all but 192.168.2.0/24 with a rich rule rule family="ipv4" source NOT address="192.168.2.0/24" masquerade And deactivate masquerading in the zone. Please do not forget to enable masquerading for IPv6 if needed.
Hi, (In reply to Thomas Woerner from comment #2) > The external address 192.168.2.0/24 will be blocked, not an internal. > > There is a solution: Masquerade all but 192.168.2.0/24 with a rich rule > > rule family="ipv4" source NOT address="192.168.2.0/24" masquerade > > And deactivate masquerading in the zone. Please do not forget to enable > masquerading for IPv6 if needed. This ticket didn't receive an update for quite a while, therefore I assume the above advice resolved reporter's issue. Please feel free to reopen in case I am wrong. Thanks, Phil
ok