About
A zone is a grouping of rule configurations known as zone option.
A firewall zone is defined for:
- a connection,
- an interface
- or source address binding (range of source addresses)
This is a one-to-many relation:
- A connection, interface, or source can only be part of one zone
- A zone can be used for many network connections, interfaces, and sources.
It separates them into different levels of trust.
Options
Options Values
- List the default zone properties
firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client mdns ssh
ports: 8999/udp
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
where you can see:
- target defines the firewall action for incoming packets.
- interface is the network interface name
- source are sources
- services are the services
- ports are the ports
- forward is packets forwarding.
firewall-cmd --add-forward # Enable forwarding of packets between interfaces and sources in a zone
firewall-cmd --remove-forward # Disable forwarding of packets between interfaces and sources in a zone
- masquerade - optional (not usable for IPv6), if present masquerading (a form of address translation) is enabled for the zone.
- forward-ports is forward ports. It can be used several times to have more than one port or packet forward entry. (IPv4 only, rich language rules should be used for IPv6)
- rich rules are the rich rules
Options Storage
The predefined zones are stored in the /usr/lib/firewalld/zones/ directory and can be instantly applied to any available network interface. These files are copied to the /etc/firewalld/zones/ directory only after they are modified.
Example:
cat /usr/lib/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
</zone>
Command
List
firewall-cmd --get-zones
Predefined zones
The standard output is:
block dmz drop external home internal public trusted work
The are predefined zones 2)
From least trusted to most trusted, the predefined zones are:
- drop: The lowest level of trust. All incoming connections are dropped without reply and only outgoing connections are possible.
- block: Similar to the above, but instead of simply dropping connections, incoming requests are rejected with an icmp-host-prohibited or icmp6-adm-prohibited message.
- public (default): Represents public, untrusted networks. You don’t trust other computers but may allow selected incoming connections on a case-by-case basis.
- external: External networks in the event that you are using the firewall as your gateway. It is configured for NAT masquerading so that your internal network remains private but reachable.
- internal: The other side of the external zone, used for the internal portion of a gateway. The computers are fairly trustworthy and some additional services are available.
- dmz: Used for computers located in a DMZ (isolated computers that will not have access to the rest of your network). Only certain incoming connections are allowed.
- work: Used for work machines. Trust most of the computers in the network. A few more services might be allowed.
- home: A home environment. It generally implies that you trust most of the other computers and that a few more services will be accepted.
- trusted: Trust all of the machines in the network.
Assign to connections, interfaces, and source addresses
It is possible to assign (or bind) zones to 3):
- connections - see connections-interfaces-and-sources,
- interfaces - see bind interface to zone)),
- and source addresses.
Creation
To configure or add zones 4), you can use any of the following firewalld configuration interfaces:
- Graphical configuration tool firewall-config
- Command line tool firewall-cmd
- Programmatic D-BUS interface.
- Edit configuration files 5). Create, copy, or edit a zone file in one of the configuration directories:
- /etc/firewalld/zones for user created and customized configuration files.
- /usr/lib/firewalld/zones for default and fallback configurations only.
List properties
- List the properties of a specified zone
firewall-cmd --zone=public --list-all
- List all zones
firewall-cmd --list-all-zones
Active
To be active a zone should be assigned to an zone_and_network_interface.
firewall-cmd --get-active-zones
Default Zone
The default zone is the zone used in every command if the zone is not specified.
- Get (By default public)
firewall-cmd --get-default-zone
- Set
sudo firewall-cmd --set-default-zone=public
On the file system, it is defined in the service configuration file
DefaultZone=public
Zone and Network Interface
- Set a zone to a network interface
firewall-cmd --permanent --zone=public --change-interface=interfaceName
# example
firewall-cmd --permanent --zone=public --change-interface=eth0
# reload
systemctl reload firewalld
- List
firewall-cmd --get-active-zones
public
interfaces: eth0
How to set a target
firewall-cmd --zone=zone-name --permanent --set-target=<default|ACCEPT|REJECT|DROP>
where: accept, reject and drop are actions