Block outgoing connections on RHEL7/CentOS7 with firewalld?

Solution 1:

I didn't find any option in that nice GUI, but it is possible via direct interface

To enable only outgoing port 80:

firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p tcp -m tcp --dport=80 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -j DROP

This will add it to permanent rules, not the runtime rules.
You will need to reload permanent rules so they become runtime rules.

firewall-cmd --reload

to display permanent rules

firewall-cmd --permanent --direct --get-all-rules

to display runtime rules

firewall-cmd --direct --get-all-rules

Solution 2:

After asking the same question myself, and with some tinkering, I've gathered some nice rules for restricting outgoing traffic to HTTP/HTTPS and DNS queries:

Allow established connections:

# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -m state --state ESTABLISHED,RELATED -j ACCEPT

Allow HTTP:

# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 80 -j ACCEPT

Allow HTTPS:

# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 443 -j ACCEPT

Allow for DNS queries:

# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport 53 -j ACCEPT
# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p udp --dport 53 -j ACCEPT

Deny everything else:

# firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 2 -j DROP

It might be a good idea to test first by omitting the '--permanent' argument.

I am by no means an expert, but this seems to work fine by me :)