Firewalld - Policy


A policy 1) applies a set of rules to traffic flowing between zones.

The policy affects traffic in a stateful unidirectional manner, e.g. from:

  • an ingress zone: zoneA
  • to an egress zone: zoneB.

How to set a policy to zones

A policy's relationship to zones is defined by assigning:

  • a set of ingress zones
  • and a set of egress zones.

For example, if:

  • the set of ingress zones contains the “public” zone
  • the set of egress zones contains the “internal” zone
  • then the policy will affect all traffic flowing from the “public” zone to the “internal” zone.
  • Since policies are unidirectional, they will not apply to traffic flowing from “internal” to “public”.
  • The ingress set and egress set can contain multiple zones.

Configuration File

Firewalld policy xml configuration files are located at: 2)

/etc/firewalld/policies/policy.xml # system, default
/usr/lib/firewalld/policies/policy.xml # user configuration

They contain the

For the format, see the man page

<?xml version="1.0" encoding="utf-8"?>
<policy [version="versionstring"] [target="CONTINUE|ACCEPT|REJECT|DROP"] [priority="priority"]>
    [ <ingress-zone name="zone"/> ]
    [ <egress-zone name="zone"/> ]


firewall-cmd --get-policies #Print predefined policies
firewall-cmd --get-active-policies # Print currently active policies
firewall-cmd --list-all-policies # List everything added for or enabled in all policies
firewall-cmd --new-policy=<policy> # Add a new empty policy
firewall-cmd --new-policy-from-file=<filename> [--name=<policy>] # Add a new policy from file with optional name override [P only]
firewall-cmd --delete-policy=<policy> # Delete an existing policy
firewall-cmd --load-policy-defaults=<policy> #  Load policy default settings
firewall-cmd --policy=<policy>  # Use this policy to set or query options 
firewall-cmd --info-policy=<policy> # Print information about a policy
firewall-cmd --path-policy=<policy> # Print file path of a policy

Discover More

Cheatsheet on the usage of Firewalld
Firewalld - Masquerade

This page is masquerading, a form of address translation in firewalld Masquerading can be enabled for the zone. If you want to enable masquerading, you should enable it in the zone bound to the external...

Share this page:
Follow us:
Task Runner