hello friends
i have been given a XboxOne game console and for some reason my a Fedora and a Ubuntu workstation have a arp cache entry for the XboxOne and some web content isin’t being loaded
so ive set a iptables rule to block the mac address
sudo iptables -I INPUT -m mac --mac-source 84:57:33:b9:39:27 -j REJECT
but i cant save the iptables rule with firewalld.
so is there any easy way to save the current runtime if iptables?
what should i do?
any ideas welcome
You shouldn’t use iptables. You should use firewall-cmd instead. Read more here: Using firewalld :: Fedora Docs
The command could be
sudo firewall-cmd --zone=FedoraWorkstation --permanent --add-rich-rule='rule source mac=11:22:33:44:55:66 drop'
Then
sudo firewall-cmd --reload
You are on Fedora 31, but in addition take into account that in Fedora 32 Firewalld Default to nftables
https://fedoraproject.org/wiki/Changes/firewalld_default_to_nftables
What is the result of this command?
firewall-cmd --get-default-zone
firewall-cmd --get-default-zone
FedoraWorkstation
Mmm, I performed a test.
If on host B you use such rule to block host A MAC address, host A can’t reach host B, but… host B can reach host A.
Sorry but I’m not so expert. It seems something related to chain precedence, or stuff like that. It seems that MAC address support in firewalld is a little bit incomplete.
There is another option: /etc/firewalld/direct.xml
man firewalld.direct
Direct configuration gives a more direct access to the firewall.
...
Direct configuration should be used only as a last resort
when it's not possible to use firewalld.zone
So. Create a file /etc/firewalld/direct.xml, and put these lines:
<?xml version="1.0" encoding="utf-8"?>
<direct>
<passthrough ipv="ipv4">-I INPUT -m mac --mac-source 84:57:33:b9:39:27 -j REJECT</passthrough>
</direct>
Then restart firewalld.
sudo systemctl restart firewalld
But please pay attention. As said before I’m not an expert.
Without editing any file, another solution is the following (actually, once made permanent, it write the rule in the /etc/firewalld/direct.xml file).
sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -m mac --mac-source 84:57:33:b9:39:27 -j DROP
If it works, make it permanent:
sudo firewall-cmd --runtime-to-permanent
thanks
i actually changed the line REJECT to DROP,
its absurd and highly irregular for my fedora pc to have an arp cache entry from my XboxOne as they have no compatible software or any relevant connection what so ever. hence changing reject to drop. the software on the Xbox dosnt need to know that data isn’t passing the firewall on my workstation as it (and its programmers) have no business sending data to my Linux workstation in the first place.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
