http://bugzilla.opensuse.org/show_bug.cgi?id=1160068 http://bugzilla.opensuse.org/show_bug.cgi?id=1160068#c29 --- Comment #29 from Dario Faggioli <dfaggioli@suse.com> --- (In reply to Dario Faggioli from comment #28)
(In reply to jean-christophe baptiste from comment #27)
(In reply to Ferdinando Vivacqua from comment #26)
It doesn't work for me. I fixed with iptables -A OUTPUT -p tcp --destination-port 8008 -j DROP iptables -A OUTPUT -p tcp --destination-port 8009 -j DROP
It does and it's the right way to manage rules in the default settings. It's just that you have not reloaded firewalld (or rebooted). You should have searched a bit because it's not a help forum.
Mmm... Interestingly, I did this:
# firewall-cmd --permanent --add-rich-rule='rule family=ipv4 port port="8009" protocol="tcp" reject' success # firewall-cmd --reload success # firewall-cmd --list-all home (active) target: default icmp-block-inversion: no interfaces: wlp58s0 sources: services: dhcpv6-client mdns samba-client ssh syncthing syncthing-gui ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" port port="8009" protocol="tcp" reject
(note that there was a typo in your rule: "family=tcp" needs to be "family=ipv4", I think)
Err, and now there's a typo in mine :-) I mixed the output of different tests! Trying again... This is what I have: # firewall-cmd --list-all home (active) target: default icmp-block-inversion: no interfaces: wlp58s0 sources: services: dhcpv6-client mdns samba-client ssh syncthing syncthing-gui ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule family="ipv4" port port="8009" protocol="tcp" reject rule family="ipv4" port port="8008" protocol="tcp" reject # firewall-cmd --direct --get-all-rules ipv4 filter OUTPUT 0 -p tcp -m tcp --dport=8008 -j DROP # firewall-cmd --reload success So, there's a rich-rule for both ports 8008 and 8009, and a direct rule for 8008. Now: $ telnet portquiz.net 8008 Trying 52.47.209.216... ^C $ telnet portquiz.net 8009 Trying 52.47.209.216... Connected to portquiz.net. Escape character is '^]'. ^] I.e., I can't connect to 8008 (for which I have the direct rule in place), while I can happily connect to 8009 (for which I have only the rich rule). If I remove the rich rule for 8008, leaving only the direct rule, I still can't connect. If I add a direct rule for 8009, I can't connect any longer. So it looks like it's the direct rule that does the trick, while the rich rules are not really effective, in this case. -- You are receiving this mail because: You are on the CC list for the bug.