How to create a Lockdown zone and block all traffic (incoming and outgoing) on firewalld?

I want to either create a “locked down” zone on firewalld (btw i use the gui) or either set up the BLOCK or DROP zone, i’ve found this on a forum saying that this would basically block all outgoing traffic. How do i implement these commands in the GUI?

sudo firewall-cmd --permanent --new-policy=host-block
sudo firewall-cmd --permanent --policy=host-block --set-target=REJECT
sudo firewall-cmd --permanent --policy=host-block --add-ingress-zone=HOST
sudo firewall-cmd --permanent --policy=host-block --add-egress-zone=ANY
sudo firewall-cmd --reload

If so shouldn’t i just add this to either the BLOCK or DROP zone to make a locked down zone, right?
How do i add this only for a specific zone? Is enabling panic mode the same thing?
Is there to set the previous commands in the GUI?

sorry for all the questions but i find firewalld a little complicated, i’m trying to look up at as much docs as possible right now.

Thanks for any suggestions

Zones don’t support outbound filtering, this requires to utilize policy objects.

The firewalld GUI doesn’t support policies yet.

You cannot do it in firewall-config. At this moment, but it is deprecated, you can only use the “direct” command to immediately block the output of an interface, in this case interface bridge0:

firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -o bridge0 -j REJECT
firewall-cmd --direct --add-rule ipv6 filter OUTPUT 0 -o bridge0 -j REJECT

Use --remove-rule to enable output again, or --reload.
Replace OUTPUT by INPUT and “-o” by “-i” and you have the corresponding rules for incoming.

I do not think policies can do what you can do with the direct command at this moment yet.

Your host-block policy rejects traffic from HOST to outside, so the system itself is not able to send output, but forwarded packages still can pass. The policy does nothing with incoming packets, you need two of them.

Panic mode adds under the hood:

table inet firewalld_policy_drop {
	chain raw_prerouting {
 		type filter hook prerouting priority raw + 9; policy drop;
 	chain raw_output {
 		type filter hook output priority raw + 9; policy drop;

So everything which comes in is dropped before it reaches the machine, before routing, and everything which wants to go out from the machine is dropped.