Reject host(not ip) using firewalld / firewalld.richlanguage

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite












Is it possible to add a rule in linux firewalld to reject an entire host(not ip or ip range) ?



For example, I wish to reject all connection coming from my133y.org.



Using firewall rich language I can drop ip, but host rejection is not provided in man pages.



Example to reject ip



firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.100.4/24" drop'


when modified to :



firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="my133t.org" drop'


I got the error:



Error: INVALID_ADDR: my133t.org





linux centos7 firewalld







share|improve this question









New contributor




user3127456 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.























    up vote
    1
    down vote

    favorite












    Is it possible to add a rule in linux firewalld to reject an entire host(not ip or ip range) ?



    For example, I wish to reject all connection coming from my133y.org.



    Using firewall rich language I can drop ip, but host rejection is not provided in man pages.



    Example to reject ip



    firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.100.4/24" drop'


    when modified to :



    firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="my133t.org" drop'


    I got the error:



    Error: INVALID_ADDR: my133t.org





    linux centos7 firewalld







    share|improve this question









    New contributor




    user3127456 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.





















      up vote
      1
      down vote

      favorite









      up vote
      1
      down vote

      favorite











      Is it possible to add a rule in linux firewalld to reject an entire host(not ip or ip range) ?



      For example, I wish to reject all connection coming from my133y.org.



      Using firewall rich language I can drop ip, but host rejection is not provided in man pages.



      Example to reject ip



      firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.100.4/24" drop'


      when modified to :



      firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="my133t.org" drop'


      I got the error:



      Error: INVALID_ADDR: my133t.org





      linux centos7 firewalld







      share|improve this question









      New contributor




      user3127456 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      Is it possible to add a rule in linux firewalld to reject an entire host(not ip or ip range) ?



      For example, I wish to reject all connection coming from my133y.org.



      Using firewall rich language I can drop ip, but host rejection is not provided in man pages.



      Example to reject ip



      firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.100.4/24" drop'


      when modified to :



      firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="my133t.org" drop'


      I got the error:



      Error: INVALID_ADDR: my133t.org





      linux centos7 firewalld




      linux centos7 firewalld






      share|improve this question









      New contributor




      user3127456 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      share|improve this question









      New contributor




      user3127456 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this question




      share|improve this question








      edited 2 hours ago









      Sven♦

      83.9k10140195




      83.9k10140195






      New contributor




      user3127456 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked 3 hours ago









      user3127456

      61




      61




      New contributor




      user3127456 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      user3127456 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      user3127456 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          2
          down vote













          The man page for firewall-cmd tells the facts:




          A source address or address range is either an IP address or a network
          IP address with a mask for IPv4 or IPv6 or a MAC address or an ipset
          with the ipset: prefix. For IPv4, the mask can be a network mask or a
          plain number. For IPv6 the mask is a plain number. The use of host
          names is not supported.




          There's a good reason for this. The firewalld is a packet filter. It compares the packet to the rules it has. The IP packet has both source and destination IP address, but not the host name. Therefore, using the host as a criteria would require gathering additional information from additional sources, namely the domain name system DNS. Such implementation would be vulnerable for denial-of-service attacks as it would be easy to make your server generate new traffic while trying to filter the packets.



          Furthermore, while a host name is easy to translate to an IP address by querying for A records in DNS, detecting all host names for an IP address is not that straightforward. Sure an IP can have a reverse PTR record, but it's not mandatory nor trustworthy.



          E.g. some unified threat management (UTM) solutions with content filters blocks HTTPS traffic based on forbidden host names without encrypting the TLS traffic. This means it can't use the URL, as the HTTP request and its Host: header are encrypted: it only sees the IP address, just like your firewall. Instead of filtering the content it blocks all HTTPS traffic to that IP address, using a pre-fetched list of IP addresses for that hostname. This is exactly what you must do.



          If you really would like to use host names, you would need to query for the IP addresses, first. Say you would like to prevent your employees surfing on serverfault.com on their precious working hours.



          1. dig +short serverfault.com

          2. Block those destination IP addresses.

          3. Repeat this at regular intervals, starting from removing the outdated rules.





          share|improve this answer






















          • It is possible for a hostname to have multiple PTR records. And https traffic often has the domain name in clear through SNI. But regardless of that, this answer is still pretty much correct on why firewall rules based on hostnames isn't a good idea.
            – kasperd
            1 hour ago










          • Thanks, tweaked those details. In what phase of the TLS handshake the information on SNI hostname is shared? Is it possible to read it from the traffic without interfering at all?
            – Esa Jokinen
            45 mins ago











          Your Answer







          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "2"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: false,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );






          user3127456 is a new contributor. Be nice, and check out our Code of Conduct.









           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f936415%2freject-hostnot-ip-using-firewalld-firewalld-richlanguage%23new-answer', 'question_page');

          );

          Post as a guest

















          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          2
          down vote













          The man page for firewall-cmd tells the facts:




          A source address or address range is either an IP address or a network
          IP address with a mask for IPv4 or IPv6 or a MAC address or an ipset
          with the ipset: prefix. For IPv4, the mask can be a network mask or a
          plain number. For IPv6 the mask is a plain number. The use of host
          names is not supported.




          There's a good reason for this. The firewalld is a packet filter. It compares the packet to the rules it has. The IP packet has both source and destination IP address, but not the host name. Therefore, using the host as a criteria would require gathering additional information from additional sources, namely the domain name system DNS. Such implementation would be vulnerable for denial-of-service attacks as it would be easy to make your server generate new traffic while trying to filter the packets.



          Furthermore, while a host name is easy to translate to an IP address by querying for A records in DNS, detecting all host names for an IP address is not that straightforward. Sure an IP can have a reverse PTR record, but it's not mandatory nor trustworthy.



          E.g. some unified threat management (UTM) solutions with content filters blocks HTTPS traffic based on forbidden host names without encrypting the TLS traffic. This means it can't use the URL, as the HTTP request and its Host: header are encrypted: it only sees the IP address, just like your firewall. Instead of filtering the content it blocks all HTTPS traffic to that IP address, using a pre-fetched list of IP addresses for that hostname. This is exactly what you must do.



          If you really would like to use host names, you would need to query for the IP addresses, first. Say you would like to prevent your employees surfing on serverfault.com on their precious working hours.



          1. dig +short serverfault.com

          2. Block those destination IP addresses.

          3. Repeat this at regular intervals, starting from removing the outdated rules.





          share|improve this answer






















          • It is possible for a hostname to have multiple PTR records. And https traffic often has the domain name in clear through SNI. But regardless of that, this answer is still pretty much correct on why firewall rules based on hostnames isn't a good idea.
            – kasperd
            1 hour ago










          • Thanks, tweaked those details. In what phase of the TLS handshake the information on SNI hostname is shared? Is it possible to read it from the traffic without interfering at all?
            – Esa Jokinen
            45 mins ago















          up vote
          2
          down vote













          The man page for firewall-cmd tells the facts:




          A source address or address range is either an IP address or a network
          IP address with a mask for IPv4 or IPv6 or a MAC address or an ipset
          with the ipset: prefix. For IPv4, the mask can be a network mask or a
          plain number. For IPv6 the mask is a plain number. The use of host
          names is not supported.




          There's a good reason for this. The firewalld is a packet filter. It compares the packet to the rules it has. The IP packet has both source and destination IP address, but not the host name. Therefore, using the host as a criteria would require gathering additional information from additional sources, namely the domain name system DNS. Such implementation would be vulnerable for denial-of-service attacks as it would be easy to make your server generate new traffic while trying to filter the packets.



          Furthermore, while a host name is easy to translate to an IP address by querying for A records in DNS, detecting all host names for an IP address is not that straightforward. Sure an IP can have a reverse PTR record, but it's not mandatory nor trustworthy.



          E.g. some unified threat management (UTM) solutions with content filters blocks HTTPS traffic based on forbidden host names without encrypting the TLS traffic. This means it can't use the URL, as the HTTP request and its Host: header are encrypted: it only sees the IP address, just like your firewall. Instead of filtering the content it blocks all HTTPS traffic to that IP address, using a pre-fetched list of IP addresses for that hostname. This is exactly what you must do.



          If you really would like to use host names, you would need to query for the IP addresses, first. Say you would like to prevent your employees surfing on serverfault.com on their precious working hours.



          1. dig +short serverfault.com

          2. Block those destination IP addresses.

          3. Repeat this at regular intervals, starting from removing the outdated rules.





          share|improve this answer






















          • It is possible for a hostname to have multiple PTR records. And https traffic often has the domain name in clear through SNI. But regardless of that, this answer is still pretty much correct on why firewall rules based on hostnames isn't a good idea.
            – kasperd
            1 hour ago










          • Thanks, tweaked those details. In what phase of the TLS handshake the information on SNI hostname is shared? Is it possible to read it from the traffic without interfering at all?
            – Esa Jokinen
            45 mins ago













          up vote
          2
          down vote










          up vote
          2
          down vote









          The man page for firewall-cmd tells the facts:




          A source address or address range is either an IP address or a network
          IP address with a mask for IPv4 or IPv6 or a MAC address or an ipset
          with the ipset: prefix. For IPv4, the mask can be a network mask or a
          plain number. For IPv6 the mask is a plain number. The use of host
          names is not supported.




          There's a good reason for this. The firewalld is a packet filter. It compares the packet to the rules it has. The IP packet has both source and destination IP address, but not the host name. Therefore, using the host as a criteria would require gathering additional information from additional sources, namely the domain name system DNS. Such implementation would be vulnerable for denial-of-service attacks as it would be easy to make your server generate new traffic while trying to filter the packets.



          Furthermore, while a host name is easy to translate to an IP address by querying for A records in DNS, detecting all host names for an IP address is not that straightforward. Sure an IP can have a reverse PTR record, but it's not mandatory nor trustworthy.



          E.g. some unified threat management (UTM) solutions with content filters blocks HTTPS traffic based on forbidden host names without encrypting the TLS traffic. This means it can't use the URL, as the HTTP request and its Host: header are encrypted: it only sees the IP address, just like your firewall. Instead of filtering the content it blocks all HTTPS traffic to that IP address, using a pre-fetched list of IP addresses for that hostname. This is exactly what you must do.



          If you really would like to use host names, you would need to query for the IP addresses, first. Say you would like to prevent your employees surfing on serverfault.com on their precious working hours.



          1. dig +short serverfault.com

          2. Block those destination IP addresses.

          3. Repeat this at regular intervals, starting from removing the outdated rules.





          share|improve this answer














          The man page for firewall-cmd tells the facts:




          A source address or address range is either an IP address or a network
          IP address with a mask for IPv4 or IPv6 or a MAC address or an ipset
          with the ipset: prefix. For IPv4, the mask can be a network mask or a
          plain number. For IPv6 the mask is a plain number. The use of host
          names is not supported.




          There's a good reason for this. The firewalld is a packet filter. It compares the packet to the rules it has. The IP packet has both source and destination IP address, but not the host name. Therefore, using the host as a criteria would require gathering additional information from additional sources, namely the domain name system DNS. Such implementation would be vulnerable for denial-of-service attacks as it would be easy to make your server generate new traffic while trying to filter the packets.



          Furthermore, while a host name is easy to translate to an IP address by querying for A records in DNS, detecting all host names for an IP address is not that straightforward. Sure an IP can have a reverse PTR record, but it's not mandatory nor trustworthy.



          E.g. some unified threat management (UTM) solutions with content filters blocks HTTPS traffic based on forbidden host names without encrypting the TLS traffic. This means it can't use the URL, as the HTTP request and its Host: header are encrypted: it only sees the IP address, just like your firewall. Instead of filtering the content it blocks all HTTPS traffic to that IP address, using a pre-fetched list of IP addresses for that hostname. This is exactly what you must do.



          If you really would like to use host names, you would need to query for the IP addresses, first. Say you would like to prevent your employees surfing on serverfault.com on their precious working hours.



          1. dig +short serverfault.com

          2. Block those destination IP addresses.

          3. Repeat this at regular intervals, starting from removing the outdated rules.






          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited 48 mins ago

























          answered 2 hours ago









          Esa Jokinen

          21.4k23057




          21.4k23057











          • It is possible for a hostname to have multiple PTR records. And https traffic often has the domain name in clear through SNI. But regardless of that, this answer is still pretty much correct on why firewall rules based on hostnames isn't a good idea.
            – kasperd
            1 hour ago










          • Thanks, tweaked those details. In what phase of the TLS handshake the information on SNI hostname is shared? Is it possible to read it from the traffic without interfering at all?
            – Esa Jokinen
            45 mins ago

















          • It is possible for a hostname to have multiple PTR records. And https traffic often has the domain name in clear through SNI. But regardless of that, this answer is still pretty much correct on why firewall rules based on hostnames isn't a good idea.
            – kasperd
            1 hour ago










          • Thanks, tweaked those details. In what phase of the TLS handshake the information on SNI hostname is shared? Is it possible to read it from the traffic without interfering at all?
            – Esa Jokinen
            45 mins ago
















          It is possible for a hostname to have multiple PTR records. And https traffic often has the domain name in clear through SNI. But regardless of that, this answer is still pretty much correct on why firewall rules based on hostnames isn't a good idea.
          – kasperd
          1 hour ago




          It is possible for a hostname to have multiple PTR records. And https traffic often has the domain name in clear through SNI. But regardless of that, this answer is still pretty much correct on why firewall rules based on hostnames isn't a good idea.
          – kasperd
          1 hour ago












          Thanks, tweaked those details. In what phase of the TLS handshake the information on SNI hostname is shared? Is it possible to read it from the traffic without interfering at all?
          – Esa Jokinen
          45 mins ago





          Thanks, tweaked those details. In what phase of the TLS handshake the information on SNI hostname is shared? Is it possible to read it from the traffic without interfering at all?
          – Esa Jokinen
          45 mins ago











          user3127456 is a new contributor. Be nice, and check out our Code of Conduct.









           

          draft saved


          draft discarded


















          user3127456 is a new contributor. Be nice, and check out our Code of Conduct.












          user3127456 is a new contributor. Be nice, and check out our Code of Conduct.











          user3127456 is a new contributor. Be nice, and check out our Code of Conduct.













           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f936415%2freject-hostnot-ip-using-firewalld-firewalld-richlanguage%23new-answer', 'question_page');

          );

          Post as a guest
































































          Comments

          Post a Comment

          Popular posts from this blog

          What does second last employer means? [closed]

          Image
          Clash Royale CLAN TAG #URR8PPP .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0; up vote -3 down vote favorite Say, for example I have worked in the following companies, Company A => 2010 - 2011 Company B => 2011 - 2012 Company C => 2012 - Till Date Company D => Have offer Now assume Company D is asking to submit documents from my second last employer. So from the list of companies given, which company would be qualified as second last employer? software-industry employer share | improve this question asked Aug 10 '14 at 5:16 Rajaprabhu Aravindasamy 559 1 6 13 closed as off-topic by Jim G., jmort253 ♦ Aug 11 '14 at 1:58 This question appears to be off-topic. The users who voted to close gave this specific reason: "Questions seeking advice on company-specific regulations, agreements, or policies should be directed to your manager or HR department. Questions that address...
          Read more

          List of Gilmore Girls characters

          Image
          The season three cast—(Back row): Lane, Michel, Paris, Emily, Richard, Sookie, Miss Patty, Kirk; Front row: Jess, Luke, Lorelai, Rory, Dean This is a list of characters for the comedy-drama television series Gilmore Girls . Contents 1 Main characters 1.1 Lorelai Gilmore 1.2 Rory Gilmore 1.3 Sookie St. James 1.4 Lane Kim 1.5 Michel Gerard 1.6 Luke Danes 1.7 Emily Gilmore 1.8 Richard Gilmore 1.9 Paris Geller 1.10 Dean Forester 1.11 Jess Mariano 1.12 Kirk Gleason 1.13 Jason Stiles 1.14 Logan Huntzberger 2 Major recurring characters 2.1 Christopher Hayden 2.2 Jackson Belleville 2.3 Mrs. Kim 2.4 Tristin DuGray 2.5 Max Medina 2.6 Taylor Doose 2.7 Dave Rygalski 2.8 Marty 3 Recurring characters 3.1 Stars Hollow 3.2 Chilton 3.3 Yale 3.4 Other 4 Notable guest stars 5 Unseen characters 6 Notes 7 References Main characters Actor Character Appearances Season 1 Season 2 Season 3 Season 4 Season 5 Season 6 Season 7 A Year in the Life Lauren Graham Lorelai Gilmore...
          Read more

          Confectionery

          Image
          Prepared foods made with a lot of sugar or other cabohydrates "Sweetmeat" redirects here. For the racehorse, see Sweetmeat (horse). Not to be confused with Sweetbread. This Kransekake is a traditional Scandinavian baker's confection. Confectionery is the art of making confections , which are food items that are rich in sugar and carbohydrates. Exact definitions are difficult. [1] In general, though, confectionery is divided into two broad and somewhat overlapping categories, bakers' confections and sugar confections. [2] Bakers' confectionery, also called flour confections , includes principally sweet pastries, cakes, and similar baked goods. Sugar confectionery includes candies ( sweets in British English), candied nuts, chocolates, chewing gum, bubble gum, pastillage, and other confections that are made primarily of sugar. In some cases, chocolate confections (confections made of chocolate) are treated as a separate category, as are sugar-free versions of ...
          Read more