1

Topic: how to limit block outgoing traffic in firewalld

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):
- Deployed with iRedMail Easy or the downloadable installer?
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hi,
I reviewed firewalld rules (iptables -L) that sound complexed a little. I am new to fail2ban and iptables.
what is default(Iredmail configuration) and how can I block all outgoing port expect limited port(25 and 53) in firewalld?

what does it mean? OUTPUT_direct

target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:bootpc
OUTPUT_direct  all  --  anywhere             anywhere

2

Re: how to limit block outgoing traffic in firewalld

Check /etc/firewalld/zones/iredmail.xml.

----

Buy me a cup of coffee ($5) to support iRedMail:

buy me a cup of coffee

3 (edited by ired_mania 2021-07-31 20:27:56)

Re: how to limit block outgoing traffic in firewalld

Hi
I found your reply irrelevant. I just want to limit output access of myserver to other servers.
in the /etc/firewalld/zones/iredmail.xml path services is defined . how can I limit access like this:

sudo iptables -A INPUT  -p udp --sport 53  -m conntrack --ctstate ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -d 192.168.10.10/32,192.168.10.100/32-p udp --dport 53  -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT


ZhangHuangbin wrote:

Check /etc/firewalld/zones/iredmail.xml.

4

Re: how to limit block outgoing traffic in firewalld

FYI: https://access.redhat.com/documentation … with_zones

----

Buy me a cup of coffee ($5) to support iRedMail:

buy me a cup of coffee

5

Re: how to limit block outgoing traffic in firewalld

Zones represent a concept to manage incoming traffic more transparently. The zones are connected to networking interfaces or assigned a range of source addresses. You manage firewall rules for each zone independently, which enables you to define complex firewall settings and apply them to the traffic.

Hi, Do you mean I can not control outgoing traffic?

6

Re: how to limit block outgoing traffic in firewalld

would you plz help me?

ired_mania wrote:

Zones represent a concept to manage incoming traffic more transparently. The zones are connected to networking interfaces or assigned a range of source addresses. You manage firewall rules for each zone independently, which enables you to define complex firewall settings and apply them to the traffic.

Hi, Do you mean I can not control outgoing traffic?

7

Re: how to limit block outgoing traffic in firewalld

would you plz help me to solve this issue?

8 (edited by Cthulhu 2021-08-22 19:53:14)

Re: how to limit block outgoing traffic in firewalld

Why you want to limit output at all?
And this is not a iredmail related question, it is purely about firewall

9 (edited by ired_mania 2021-08-30 19:54:02)

Re: how to limit block outgoing traffic in firewalld

forget about output traffic, I want to control traffic. e.g. : just multiple IPS can have ssh or https access , or my mail be prohobited to have ssh access to the other servers in the same subnet. However, I found blocked ip in result of iptables -nL command, which I had blocked in iredadmin, so I can not flush iptables or firewalld configuration. In addition, fail2ban operation is integrated to firewalld and it is configured by iredmail. Therefore,I think there are somethings which is related to iredmail configuration and it can not be purely firewall knowledge.

Cthulhu wrote:

Why you want to limit output at all?
And this is not a iredmail related question, it is purely about firewall

10

Re: how to limit block outgoing traffic in firewalld

Please use firewall to block it.

----

Buy me a cup of coffee ($5) to support iRedMail:

buy me a cup of coffee

11

Re: how to limit block outgoing traffic in firewalld

How can I do it by firewall while they are in the same subnet?

ZhangHuangbin wrote:

Please use firewall to block it.

12

Re: how to limit block outgoing traffic in firewalld

https://access.redhat.com/solutions/396273

13

Re: how to limit block outgoing traffic in firewalld

I really dont see ANY reason to limit troughput to same subnet?
so you want to block everything outside beside port 25 and 53?

i dont see any reason to do that, if you want limits you can do so with iredapd, which works way better on a per user/per domain solution, but blocking outgoing traffic beside port 25 and 53 will likely render your system inoperable, since you cant even get updates anymore

14

Re: how to limit block outgoing traffic in firewalld

hi,
Does this solution work?
https://forums.centos.org/viewtopic.php … mp;t=78106