A zone is a grouping of rule configurations known as zone option.
A firewall zone is defined for:
This is a one-to-many relation:
- A connection, interface, or source can only be part of one zone
- A zone can be used for many network connections, interfaces, and sources.
It separates them into different levels of trust.
- List the default zone properties
public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: dhcpv6-client mdns ssh ports: 8999/udp protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
where you can see:
- interface is the network interface name
- source are sources
- services are the services
- ports are the ports
- forward is packets forwarding.
firewall-cmd --add-forward # Enable forwarding of packets between interfaces and sources in a zone firewall-cmd --remove-forward # Disable forwarding of packets between interfaces and sources in a zone
The predefined zones are stored in the /usr/lib/firewalld/zones/ directory and can be instantly applied to any available network interface. These files are copied to the /etc/firewalld/zones/ directory only after they are modified.
<?xml version="1.0" encoding="utf-8"?> <zone> <short>Public</short> <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="ssh"/> <service name="dhcpv6-client"/> </zone>
The standard output is:
block dmz drop external home internal public trusted work
The are predefined zones 2)
From least trusted to most trusted, the predefined zones are:
- drop: The lowest level of trust. All incoming connections are dropped without reply and only outgoing connections are possible.
- block: Similar to the above, but instead of simply dropping connections, incoming requests are rejected with an icmp-host-prohibited or icmp6-adm-prohibited message.
- public (default): Represents public, untrusted networks. You don’t trust other computers but may allow selected incoming connections on a case-by-case basis.
- external: External networks in the event that you are using the firewall as your gateway. It is configured for NAT masquerading so that your internal network remains private but reachable.
- internal: The other side of the external zone, used for the internal portion of a gateway. The computers are fairly trustworthy and some additional services are available.
- dmz: Used for computers located in a DMZ (isolated computers that will not have access to the rest of your network). Only certain incoming connections are allowed.
- work: Used for work machines. Trust most of the computers in the network. A few more services might be allowed.
- home: A home environment. It generally implies that you trust most of the other computers and that a few more services will be accepted.
- trusted: Trust all of the machines in the network.
Assign to connections, interfaces, and source addresses
It is possible to assign (or bind) zones to 3):
To configure or add zones 4), you can use any of the following firewalld configuration interfaces:
- Graphical configuration tool firewall-config
- Command line tool firewall-cmd
- Programmatic D-BUS interface.
- Edit configuration files 5). Create, copy, or edit a zone file in one of the configuration directories:
- /etc/firewalld/zones for user created and customized configuration files.
- /usr/lib/firewalld/zones for default and fallback configurations only.
- List the properties of a specified zone
firewall-cmd --zone=public --list-all
- List all zones
To be active a zone should be assigned to an zone_and_network_interface.
The default zone is the zone used in every command if the zone is not specified.
- Get (By default public)
sudo firewall-cmd --set-default-zone=public
On the file system, it is defined in the service configuration file
Zone and Network Interface
- Set a zone to a network interface
firewall-cmd --permanent --zone=public --change-interface=interfaceName # example firewall-cmd --permanent --zone=public --change-interface=eth0 # reload systemctl reload firewalld
public interfaces: eth0
How to set a target
firewall-cmd --zone=zone-name --permanent --set-target=<default|ACCEPT|REJECT|DROP>
where: accept, reject and drop are actions