How do i block a mac address with the firewall?

hello friends
i have been given a XboxOne game console and for some reason my a Fedora and a Ubuntu workstation have a arp cache entry for the XboxOne and some web content isin’t being loaded

so ive set a iptables rule to block the mac address
sudo iptables -I INPUT -m mac --mac-source 84:57:33:b9:39:27 -j REJECT
but i cant save the iptables rule with firewalld.
so is there any easy way to save the current runtime if iptables?
what should i do?
any ideas welcome

You shouldn’t use iptables. You should use firewall-cmd instead. Read more here: Using firewalld :: Fedora Docs

The command could be
sudo firewall-cmd --zone=FedoraWorkstation --permanent --add-rich-rule='rule source mac=11:22:33:44:55:66 drop'
sudo firewall-cmd --reload

1 Like

You are on Fedora 31, but in addition take into account that in Fedora 32 Firewalld Default to nftables

it didnt seem to do anything

What is the result of this command?
firewall-cmd --get-default-zone

firewall-cmd --get-default-zone


Mmm, I performed a test.
If on host B you use such rule to block host A MAC address, host A can’t reach host B, but… host B can reach host A.
Sorry but I’m not so expert. It seems something related to chain precedence, or stuff like that. It seems that MAC address support in firewalld is a little bit incomplete.

There is another option: /etc/firewalld/direct.xml


Direct configuration gives a more direct access to the firewall.
Direct configuration should be used only as a last resort
when it's not possible to use

So. Create a file /etc/firewalld/direct.xml, and put these lines:

<?xml version="1.0" encoding="utf-8"?>
  <passthrough ipv="ipv4">-I INPUT -m mac --mac-source 84:57:33:b9:39:27 -j REJECT</passthrough>

Then restart firewalld.
sudo systemctl restart firewalld

But please pay attention. As said before I’m not an expert.

1 Like

Without editing any file, another solution is the following (actually, once made permanent, it write the rule in the /etc/firewalld/direct.xml file).

sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -m mac --mac-source 84:57:33:b9:39:27 -j DROP

If it works, make it permanent:

sudo firewall-cmd --runtime-to-permanent

again i didnt seem to work

i actually changed the line REJECT to DROP,
its absurd and highly irregular for my fedora pc to have an arp cache entry from my XboxOne as they have no compatible software or any relevant connection what so ever. hence changing reject to drop. the software on the Xbox dosnt need to know that data isn’t passing the firewall on my workstation as it (and its programmers) have no business sending data to my Linux workstation in the first place.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.