How to block a internal host from the internet with firewalld by MAC address

fedora firewalld masquerade

I am trying to stop some hosts on the network from going outside/calling home.

So I have 2 zones.

[root@eagle ~]# firewall-cmd --get-active-zones 
external
  interfaces: enp2s0
internal
  interfaces: eno1

With masquerading on for external

[root@eagle ~]# firewall-cmd --zone=internal --query-masquerade
no
[root@eagle ~]# firewall-cmd --zone=external --query-masquerade
yes

And I have a rich rule to drop data for the MAC address I want

[root@eagle ~]# firewall-cmd --zone=external --list-rich-rules 
rule source mac="40:16:3B:63:72:E0" drop

But it doesn't seem to be working. Obvious things I checked are adding them as permanent and making sure I reloaded the rules.

Any help appreciated


Solution 1:

You are adding the MAC rule on external zone, which is enp2s0. The ethernet frames sent out via that interface have MAC address of enp2s0 as their source MAC address.

If you want to match devices in the internal network, you need to add MAC matching rules in the internal zone, which is using interface eno1, and sees the client MAC addresses as the source MAC address when it receives frames from clients.

This means that you need to add destination IP address matching in the rule too.

Related

Postfix: /usr/sbin/sendmail: No such file or directory - why?
Setup VPS mail server and import to Gmail
1 million concurrent database connections
how to get short/netbios name of trusted domain
How to uninstall MariaDB and re-install MySQL? MySQL install turns into MariaDB install
DNSMasq wildcard top level domain/suffix
Is there a single word for "turn a blind eye"?
How to name different kinds of alerts?
Wagon or Vagon or Waggon - what is a correct word? [closed]
English equivalent of the Greek “When Muhammad does not go to the mountain…”?
Origin of the name "Carinio"
Grinding vs Pulverizing