About
A policy 1) applies a set of rules to traffic flowing between zones.
The policy affects traffic in a stateful unidirectional manner, e.g. from:
- an ingress zone: zoneA
- to an egress zone: zoneB.
How to set a policy to zones
A policy's relationship to zones is defined by assigning:
- a set of ingress zones
- and a set of egress zones.
For example, if:
- the set of ingress zones contains the “public” zone
- the set of egress zones contains the “internal” zone
- then the policy will affect all traffic flowing from the “public” zone to the “internal” zone.
- Since policies are unidirectional, they will not apply to traffic flowing from “internal” to “public”.
- The ingress set and egress set can contain multiple zones.
Configuration File
Firewalld policy xml configuration files are located at: 2)
/etc/firewalld/policies/policy.xml # system, default
/usr/lib/firewalld/policies/policy.xml # user configuration
They contain the
- descriptions,
- protocols,
- icmp-blocks,
For the format, see the man page
<?xml version="1.0" encoding="utf-8"?>
<policy [version="versionstring"] [target="CONTINUE|ACCEPT|REJECT|DROP"] [priority="priority"]>
[ <ingress-zone name="zone"/> ]
[ <egress-zone name="zone"/> ]
....
</policy>
Command
firewall-cmd --get-policies #Print predefined policies
firewall-cmd --get-active-policies # Print currently active policies
firewall-cmd --list-all-policies # List everything added for or enabled in all policies
firewall-cmd --new-policy=<policy> # Add a new empty policy
firewall-cmd --new-policy-from-file=<filename> [--name=<policy>] # Add a new policy from file with optional name override [P only]
firewall-cmd --delete-policy=<policy> # Delete an existing policy
firewall-cmd --load-policy-defaults=<policy> # Load policy default settings
firewall-cmd --policy=<policy> # Use this policy to set or query options
firewall-cmd --info-policy=<policy> # Print information about a policy
firewall-cmd --path-policy=<policy> # Print file path of a policy