Comment # 30 on bug 1160068 from Ferdinando Vivacqua

(In reply to Dario Faggioli from comment #29)
> (In reply to Dario Faggioli from comment #28)
> > (In reply to jean-christophe baptiste from comment #27)
> > > (In reply to Ferdinando Vivacqua from comment #26)
> > > > It doesn't work for me.
> > > > I fixed with iptables -A OUTPUT -p tcp --destination-port 8008 -j DROP
> > > > iptables -A OUTPUT -p tcp --destination-port 8009 -j DROP
> > > 
> > > It does and it's the right way to manage rules in the default settings. It's
> > > just that you have not reloaded firewalld (or rebooted). You should have
> > > searched a bit because it's not a help forum.
> > >
> > Mmm... Interestingly, I did this:
> > 
> > # firewall-cmd --permanent --add-rich-rule='rule family=ipv4 port
> > port="8009" protocol="tcp" reject'
> > success
> > # firewall-cmd --reload 
> > success
> > # firewall-cmd --list-all
> > home (active)
> >   target: default
> >   icmp-block-inversion: no
> >   interfaces: wlp58s0
> >   sources: 
> >   services: dhcpv6-client mdns samba-client ssh syncthing syncthing-gui
> >   ports: 
> >   protocols: 
> >   masquerade: no
> >   forward-ports: 
> >   source-ports: 
> >   icmp-blocks: 
> >   rich rules: 
> > 	rule family="ipv4" port port="8009" protocol="tcp" reject
> > 
> > (note that there was a typo in your rule: "family=tcp" needs to be
> > "family=ipv4", I think)
> > 
> Err, and now there's a typo in mine :-)
> 
> I mixed the output of different tests! Trying again... This is what I have:
> 
> # firewall-cmd --list-all
> home (active)
>   target: default
>   icmp-block-inversion: no
>   interfaces: wlp58s0
>   sources: 
>   services: dhcpv6-client mdns samba-client ssh syncthing syncthing-gui
>   ports: 
>   protocols: 
>   masquerade: no
>   forward-ports: 
>   source-ports: 
>   icmp-blocks: 
>   rich rules: 
> 	rule family="ipv4" port port="8009" protocol="tcp" reject
> 	rule family="ipv4" port port="8008" protocol="tcp" reject
> # firewall-cmd --direct --get-all-rules 
> ipv4 filter OUTPUT 0 -p tcp -m tcp --dport=8008 -j DROP
> # firewall-cmd --reload 
> success
> 
> So, there's a rich-rule for both ports 8008 and 8009, and a direct rule for
> 8008.
> 
> Now:
> 
> $ telnet portquiz.net 8008
> Trying 52.47.209.216...
> ^C
> 
> $ telnet portquiz.net 8009
> Trying 52.47.209.216...
> Connected to portquiz.net.
> Escape character is '^]'.
> ^]
> 
> I.e., I can't connect to 8008 (for which I have the direct rule in place),
> while I can happily connect to 8009 (for which I have only the rich rule).
> 
> If I remove the rich rule for 8008, leaving only the direct rule, I still
> can't connect. 
> 
> If I add a direct rule for 8009, I can't connect any longer.
> 
> So it looks like it's the direct rule that does the trick, while the rich
> rules are not really effective, in this case.

I confirm that this workaround works.
We will wait for a fixed Chromium build.