A Web Log

Blocking IP addresses with FirewallD

When I run a web search for something like “block IP address firewalld” I usually see recommendations to create a rich rule. It works, but I believe it's slightly more complex than necessary.

A simpler way to manage blocklists is to define IP address ranges as sources in either the block or drop zones. The IP address range can then be set to a different zone if needed.

sofia@silimini2 ~> firewall-cmd --get-zones
FedoraServer FedoraWorkstation block dmz drop external home internal public trusted work
sofia@silimini2 ~> firewall-cmd --help | grep -A 10 "Options to Handle Bindings of Sources"
Options to Handle Bindings of Sources
  --list-sources       List sources that are bound to a zone [P] [Z]
  --add-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
                       Bind the source to a zone [P] [Z]
  --change-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
                       Change zone the source is bound to [Z]
  --query-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
                       Query whether the source is bound to a zone [P] [Z]
  --remove-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
                       Remove binding of the source from a zone [P] [Z]

sofia@silimini2 ~> sudo firewall-cmd --permanent --add-source=169.254.11.11/32 --zone=drop
success
sofia@silimini2 ~> sudo firewall-cmd --change-source=169.254.11.11/32 --zone=block
success
sofia@silimini2 ~> sudo firewall-cmd --reload
success

Don't forget to add or remove --permanent and firewall-cmd --reload as needed!