Firewalld - Zone

About

A zone is a grouping of rule configurations known as zone option.

A firewall zone is defined for:

a connection,
an interface
or source address binding (range of source addresses)

This is a one-to-many relation:

A connection, interface, or source can only be part of one zone
A zone can be used for many network connections, interfaces, and sources.

It separates them into different levels of trust.

Options

¹⁾

Options Values

List the default zone properties

firewall-cmd --list-all

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: dhcpv6-client mdns ssh
  ports: 8999/udp
  protocols:
  forward: yes
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

where you can see:

target defines the firewall action for incoming packets.
interface is the network interface name
source are sources
services are the services
ports are the ports
forward is packets forwarding.

firewall-cmd --add-forward       # Enable forwarding of packets between interfaces and sources in a zone
firewall-cmd --remove-forward    # Disable forwarding of packets between interfaces and sources in a zone

masquerade - optional (not usable for IPv6), if present masquerading (a form of address translation) is enabled for the zone.
forward-ports is forward ports. It can be used several times to have more than one port or packet forward entry. (IPv4 only, rich language rules should be used for IPv6)
rich rules are the rich rules

Options Storage

The predefined zones are stored in the /usr/lib/firewalld/zones/ directory and can be instantly applied to any available network interface. These files are copied to the /etc/firewalld/zones/ directory only after they are modified.

Example:

cat /usr/lib/firewalld/zones/public.xml

<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
</zone>

Command

List

firewall-cmd --get-zones

Predefined zones

The standard output is:

block dmz drop external home internal public trusted work

The are predefined zones ²⁾

From least trusted to most trusted, the predefined zones are:

drop: The lowest level of trust. All incoming connections are dropped without reply and only outgoing connections are possible.
block: Similar to the above, but instead of simply dropping connections, incoming requests are rejected with an icmp-host-prohibited or icmp6-adm-prohibited message.
public (default): Represents public, untrusted networks. You don’t trust other computers but may allow selected incoming connections on a case-by-case basis.
external: External networks in the event that you are using the firewall as your gateway. It is configured for NAT masquerading so that your internal network remains private but reachable.
internal: The other side of the external zone, used for the internal portion of a gateway. The computers are fairly trustworthy and some additional services are available.
dmz: Used for computers located in a DMZ (isolated computers that will not have access to the rest of your network). Only certain incoming connections are allowed.
work: Used for work machines. Trust most of the computers in the network. A few more services might be allowed.
home: A home environment. It generally implies that you trust most of the other computers and that a few more services will be accepted.
trusted: Trust all of the machines in the network.

Assign to connections, interfaces, and source addresses

It is possible to assign (or bind) zones to ³⁾:

connections - see connections-interfaces-and-sources,
interfaces - see bind interface to zone)),
and source addresses.

Creation

To configure or add zones ⁴⁾, you can use any of the following firewalld configuration interfaces:

Graphical configuration tool firewall-config
Command line tool firewall-cmd
Programmatic D-BUS interface.
Edit configuration files ⁵⁾. Create, copy, or edit a zone file in one of the configuration directories:
- /etc/firewalld/zones for user created and customized configuration files.
- /usr/lib/firewalld/zones for default and fallback configurations only.

List properties

List the properties of a specified zone

firewall-cmd --zone=public --list-all

List all zones

firewall-cmd --list-all-zones

Active

To be active a zone should be assigned to an zone_and_network_interface.

firewall-cmd --get-active-zones

Default Zone

The default zone is the zone used in every command if the zone is not specified.

Get (By default public)

firewall-cmd --get-default-zone

sudo firewall-cmd --set-default-zone=public

On the file system, it is defined in the service configuration file

DefaultZone=public

Zone and Network Interface

Set a zone to a network interface

firewall-cmd --permanent --zone=public --change-interface=interfaceName
# example
firewall-cmd --permanent --zone=public --change-interface=eth0
# reload
systemctl reload firewalld

List

firewall-cmd --get-active-zones

public
  interfaces: eth0

How to set a target

firewall-cmd --zone=zone-name --permanent --set-target=<default|ACCEPT|REJECT|DROP>

where: accept, reject and drop are actions

¹⁾

https://firewalld.org/documentation/zone/options.html

²⁾

Doc, predefined-zones

³⁾

https://firewalld.org/documentation/zone/connections-interfaces-and-sources.html

⁴⁾

https://firewalld.org/documentation/zone/use-of-zones.html

⁵⁾

FIREWALLD.ZONE%285%29