Firewalld - Zone


A zone is a grouping of rule configurations known as zone option.

A firewall zone is defined for:

This is a one-to-many relation:

  • A connection, interface, or source can only be part of one zone
  • A zone can be used for many network connections, interfaces, and sources.

It separates them into different levels of trust.



Options Values

firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  services: dhcpv6-client mdns ssh
  ports: 8999/udp
  forward: yes
  masquerade: no
  rich rules:

where you can see:

firewall-cmd --add-forward       # Enable forwarding of packets between interfaces and sources in a zone
firewall-cmd --remove-forward    # Disable forwarding of packets between interfaces and sources in a zone
  • masquerade - optional (not usable for IPv6), if present masquerading (a form of address translation) is enabled for the zone.
  • forward-ports is forward ports. It can be used several times to have more than one port or packet forward entry. (IPv4 only, rich language rules should be used for IPv6)
  • rich rules are the rich rules

Options Storage

The predefined zones are stored in the /usr/lib/firewalld/zones/ directory and can be instantly applied to any available network interface. These files are copied to the /etc/firewalld/zones/ directory only after they are modified.


cat /usr/lib/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>



firewall-cmd --get-zones

Predefined zones

The standard output is:

block dmz drop external home internal public trusted work

The are predefined zones 2)

From least trusted to most trusted, the predefined zones are:

  • drop: The lowest level of trust. All incoming connections are dropped without reply and only outgoing connections are possible.
  • block: Similar to the above, but instead of simply dropping connections, incoming requests are rejected with an icmp-host-prohibited or icmp6-adm-prohibited message.
  • public (default): Represents public, untrusted networks. You don’t trust other computers but may allow selected incoming connections on a case-by-case basis.
  • external: External networks in the event that you are using the firewall as your gateway. It is configured for NAT masquerading so that your internal network remains private but reachable.
  • internal: The other side of the external zone, used for the internal portion of a gateway. The computers are fairly trustworthy and some additional services are available.
  • dmz: Used for computers located in a DMZ (isolated computers that will not have access to the rest of your network). Only certain incoming connections are allowed.
  • work: Used for work machines. Trust most of the computers in the network. A few more services might be allowed.
  • home: A home environment. It generally implies that you trust most of the other computers and that a few more services will be accepted.
  • trusted: Trust all of the machines in the network.

Assign to connections, interfaces, and source addresses

It is possible to assign (or bind) zones to 3):


To configure or add zones 4), you can use any of the following firewalld configuration interfaces:

  • Graphical configuration tool firewall-config
  • Command line tool firewall-cmd
  • Programmatic D-BUS interface.
  • Edit configuration files 5). Create, copy, or edit a zone file in one of the configuration directories:
    • /etc/firewalld/zones for user created and customized configuration files.
    • /usr/lib/firewalld/zones for default and fallback configurations only.

List properties

  • List the properties of a specified zone
firewall-cmd --zone=public --list-all
  • List all zones
firewall-cmd --list-all-zones


To be active a zone should be assigned to an zone_and_network_interface.

firewall-cmd --get-active-zones

Default Zone

The default zone is the zone used in every command if the zone is not specified.

  • Get (By default public)
firewall-cmd --get-default-zone
  • Set
sudo firewall-cmd --set-default-zone=public

On the file system, it is defined in the service configuration file


Zone and Network Interface

  • Set a zone to a network interface
firewall-cmd --permanent --zone=public --change-interface=interfaceName
# example
firewall-cmd --permanent --zone=public --change-interface=eth0
# reload
systemctl reload firewalld
  • List
firewall-cmd --get-active-zones
  interfaces: eth0

How to set a target

firewall-cmd --zone=zone-name --permanent --set-target=<default|ACCEPT|REJECT|DROP>

where: accept, reject and drop are actions

Discover More

Cheatsheet on the usage of Firewalld
Firewalld - Network Interface

This page is networks interface configuration in firewalld. An interface may be assigned / bind to zero or one zone. Example: List interfaces that are bound to a zone Example: By default,...
Firewalld - Policy

A policy applies a set of rules to traffic flowing between zones. The policy affects traffic in a stateful unidirectional manner, e.g. from: an ingress zone: zoneA to an egress zone: zoneB. ...
Firewalld - Target (Rich Rule Action)

A target is the action taken if the configuration options match a IP packet. It's used: as the last word in a rich rule as the default action in a zone. It's a iptables concept. Name Rejection...
How to forward to a port / address (Redirect) with firewalld?

This page shows you how to forward your traffic based on a port with the forward-port rule. In a zone option, you can add directly port forwarding directly without using a rich rule. Other commands...
How to restrict your firewall by country firewalld (ie iptable)

A step-by-step on how to configure your iptable firewall with firewalld to allow only requests originating from a country

This page is the source definition of traffic in a firewalld zone. The source value can be seen in the zone options Is an optional empty-element tag and can be used several times. It's used to...
What are Firewalld Services?

Services are pre-configured firewall properties for known services. It's a naming functionality where you can use them in place of a port (ie number and protocol, udp-tcp) In the conf directory...

Share this page:
Follow us:
Task Runner