How can I configure firewalld to block all outgoing traffic except for specific ports while allowing localhost to access any of its own local ports?

Question

I started out with this:

# First, allow outbound traffic for all allowed inbound traffic 
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -m state --state ESTABLISHED,RELATED -j ACCEPT
Allow outbound HTTP, HTTPS, DNS
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -p icmp -m icmp --icmp-type=ping -j ACCEPT 
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 53 -j ACCEPT 
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -p udp --dport 53 -j ACCEPT 
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 80 -j ACCEPT
Block all other outbound traffic
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 2 -j DROP

And this all worked fine for locking down a server from getting to anything but websites and DNS.

But any local services trying to get to other local services via localhost network communication were blocked. Worse still, even with firewalld configured to log dropped packets, outbound drops were not being logged.

score 7 · Answer 1 · answered Jan 07 '19 at 20:19

The answer, I found by some trial and error, because searching for this exact (possibly odd) scenario on Google or elsewhere was fruitless:

# Allow all outbound traffic from localhost to localhost
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -o lo -j ACCEPT

This allows local services to communicate with any other local services (even if the IP assigned to the target services are something other than 127.0.0.1).

How can I configure firewalld to block all outgoing traffic except for specific ports while allowing localhost to access any of its own local ports?

Allow outbound HTTP, HTTPS, DNS

Block all other outbound traffic

1 Answers1