I have a web-server and sshd services running and listening for connections on their ports. What I want to achieve is when I change my zone from public to something that prohibits ports 22 or 443, my current connections will expire. Right now after prohibiting those ports and reloading firewalld, connections are still alive.
I think this can be achieved by adding a direct rule, but I don't know how the rule should look like and how to put it on top.
From firewalld manpage:
--reloadReload firewall rules and keep state information. [...]
--complete-reloadReload firewall completely, even netfilter kernel modules. This will most likely terminate active connections, because state information is lost. [...]
So doing firewall-cmd --complete-reload would be a heavy method that does the trick. Actually it should not terminate established TCP connections which are still allowed in the new ruleset, thanks to net.netfilter.nf_conntrack_tcp_loose = 1 (they should go back through NEW->ESTABLISHED without connectivity loss).
But rather than this, it's easier to simply delete Netfilter's conntrack state with the dedicated tool: conntrack (requires installing a package usually named conntrack or conntrack-tools).
conntrack -F
or doing it selectively (additional options like address ranges can make it more selective):
conntrack -D -p tcp --dport 443; conntrack -D -p tcp --dport 22
