A zone is a grouping of rule configurations known as zone option.
A firewall zone is defined for:
This is a one-to-many relation:
It separates them into different levels of trust.
firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client mdns ssh
ports: 8999/udp
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
where you can see:
firewall-cmd --add-forward # Enable forwarding of packets between interfaces and sources in a zone
firewall-cmd --remove-forward # Disable forwarding of packets between interfaces and sources in a zone
The predefined zones are stored in the /usr/lib/firewalld/zones/ directory and can be instantly applied to any available network interface. These files are copied to the /etc/firewalld/zones/ directory only after they are modified.
Example:
cat /usr/lib/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
</zone>
firewall-cmd --get-zones
The standard output is:
block dmz drop external home internal public trusted work
The are predefined zones 2)
From least trusted to most trusted, the predefined zones are:
It is possible to assign (or bind) zones to 3):
To configure or add zones 4), you can use any of the following firewalld configuration interfaces:
firewall-cmd --zone=public --list-all
firewall-cmd --list-all-zones
To be active a zone should be assigned to an zone_and_network_interface.
firewall-cmd --get-active-zones
The default zone is the zone used in every command if the zone is not specified.
firewall-cmd --get-default-zone
sudo firewall-cmd --set-default-zone=public
On the file system, it is defined in the service configuration file
DefaultZone=public
firewall-cmd --permanent --zone=public --change-interface=interfaceName
# example
firewall-cmd --permanent --zone=public --change-interface=eth0
# reload
systemctl reload firewalld
firewall-cmd --get-active-zones
public
interfaces: eth0
firewall-cmd --zone=zone-name --permanent --set-target=<default|ACCEPT|REJECT|DROP>
where: accept, reject and drop are actions