Firewalld - Policy

About

A policy ¹⁾ applies a set of rules to traffic flowing between zones.

The policy affects traffic in a stateful unidirectional manner, e.g. from:

• an ingress zone: zoneA
• to an egress zone: zoneB.

How to set a policy to zones

A policy's relationship to zones is defined by assigning:

• a set of ingress zones
• and a set of egress zones.

For example, if:

• the set of ingress zones contains the “public” zone
• the set of egress zones contains the “internal” zone
• then the policy will affect all traffic flowing from the “public” zone to the “internal” zone.

Configuration File

Firewalld policy xml configuration files are located at: ²⁾

/etc/firewalld/policies/policy.xml # system, default
/usr/lib/firewalld/policies/policy.xml # user configuration

They contain the

• descriptions,
• services,
• ports,
• protocols,
• icmp-blocks,
• masquerade,
• forward-ports
• and rich language rules

For the format, see the man page

<?xml version="1.0" encoding="utf-8"?>
<policy [version="versionstring"] [target="CONTINUE|ACCEPT|REJECT|DROP"] [priority="priority"]>
    [ <ingress-zone name="zone"/> ]
    [ <egress-zone name="zone"/> ]
....
</policy>

Command

firewall-cmd --get-policies #Print predefined policies
firewall-cmd --get-active-policies # Print currently active policies
firewall-cmd --list-all-policies # List everything added for or enabled in all policies
firewall-cmd --new-policy=<policy> # Add a new empty policy
firewall-cmd --new-policy-from-file=<filename> [--name=<policy>] # Add a new policy from file with optional name override [P only]
firewall-cmd --delete-policy=<policy> # Delete an existing policy
firewall-cmd --load-policy-defaults=<policy> #  Load policy default settings
firewall-cmd --policy=<policy>  # Use this policy to set or query options 
firewall-cmd --info-policy=<policy> # Print information about a policy
firewall-cmd --path-policy=<policy> # Print file path of a policy