Reject host(not ip) using firewalld / firewalld.richlanguage

Solution 1:

The man page for firewall-cmd tells the facts:

A source address or address range is either an IP address or a network IP address with a mask for IPv4 or IPv6 or a MAC address or an ipset with the ipset: prefix. For IPv4, the mask can be a network mask or a plain number. For IPv6 the mask is a plain number. The use of host names is not supported.

There's a good reason for this. The firewalld is a packet filter. It compares the packet to the rules it has. The IP packet has both source and destination IP address, but not the host name. Therefore, using the host as a criteria would require gathering additional information from additional sources, namely the domain name system DNS. Such implementation would be vulnerable for denial-of-service attacks as it would be easy to make your server generate new traffic while trying to filter the packets.

Furthermore, while a host name is easy to translate to an IP address by querying for A records in DNS, detecting all host names for an IP address is not that straightforward. Sure an IP can have a reverse PTR record, but it's not mandatory nor trustworthy.

E.g. some unified threat management (UTM) solutions with content filters blocks HTTPS traffic based on forbidden host names without encrypting the TLS traffic. This means it can't use the URL, as the HTTP request and its Host: header are encrypted: it only sees the IP address, just like your firewall. Instead of filtering the content it blocks all HTTPS traffic to that IP address, using a pre-fetched list of IP addresses for that hostname. This is exactly what you must do.

If you really would like to use host names, you would need to query for the IP addresses, first. Say you would like to prevent your employees surfing on serverfault.com on their precious working hours.

  1. dig +short serverfault.com
  2. Block those destination IP addresses.
  3. Repeat this at regular intervals, starting from removing the outdated rules.