5.7. Working with Zones
Zones represent a concept to manage incoming traffic more transparently. The zones are connected to networking interfaces or assigned a range of source addresses. You manage firewall rules for each zone independently, which enables you to define complex firewall settings and apply them to the traffic.
5.7.1. Listing Zones
To see which zones are available on your system:
~]# firewall-cmd --get-zones
The
firewall-cmd --get-zones
command displays all zones that are available on the system, but it does not show any details for particular zones.
To see detailed information for all zones:
~]# firewall-cmd --list-all-zones
To see detailed information for a specific zone:
~]# firewall-cmd --zone=zone-name --list-all
5.7.2. Modifying firewalld
Settings for a Certain Zone
The Section 5.6.3, “Controlling Traffic with Predefined Services using CLI” and Section 5.6.6, “Controlling Ports using CLI” explain how to add services or modify ports in the scope of the current working zone. Sometimes, it is required to set up rules in a different zone.
To work in a different zone, use the
--zone=zone-name
option. For example, to allow the SSH
service in the zone public:
~]# firewall-cmd --add-service=ssh --zone=public
5.7.3. Changing the Default Zone
System administrators assign a zone to a networking interface in its configuration files. If an interface is not assigned to a specific zone, it is assigned to the default zone. After each restart of the
firewalld
service, firewalld
loads the settings for the default zone and makes it active.
To set up the default zone:
- Display the current default zone:
~]#
firewall-cmd --get-default-zone
- Set the new default zone:
~]#
firewall-cmd --set-default-zone zone-name
Note
Following this procedure, the setting is a permanent setting, even without the
--permanent
option.
5.7.4. Assigning a Network Interface to a Zone
It is possible to define different sets of rules for different zones and then change the settings quickly by changing the zone for the interface that is being used. With multiple interfaces, a specific zone can be set for each of them to distinguish traffic that is coming through them.
To assign the zone to a specific interface:
- List the active zones and the interfaces assigned to them:
~]#
firewall-cmd --get-active-zones
- Assign the interface to a different zone:
~]#
firewall-cmd --zone=zone-name --change-interface=<interface-name>
Note
You do not have to use the
--permanent
option to make the setting persistent across restarts. If you set a new default zone, the setting becomes permanent.
5.7.5. Assigning a Default Zone to a Network Connection
When the connection is managed by NetworkManager, it must be aware of a zone that it uses. For every network connection, a zone can be specified, which provides the flexibility of various firewall settings according to the location of the computer with portable devices. Thus, zones and settings can be specified for different locations, such as company or home.
To set a default zone for an Internet connection, use either the NetworkManager GUI or edit the
/etc/sysconfig/network-scripts/ifcfg-connection-name
file and add a line that assigns a zone to this connection:
ZONE=zone-name
5.7.6. Creating a New Zone
To use custom zones, create a new zone and use it just like a predefined zone.
Note
New zones require the
--permanent
option, otherwise the command does not work.
- Create a new zone:
~]#
firewall-cmd --permanent --new-zone=zone-name
- Reload the new zone:
~]#
firewall-cmd --reload
- Check if the new zone is added to your permanent settings:
~]#
firewall-cmd --get-zones
- Make the new settings persistent:
~]#
firewall-cmd --runtime-to-permanent
5.7.7. Creating a New Zone using a Configuration File
Zones can also be created using a zone configuration file. This approach can be helpful when you need to create a new zone, but want to reuse the settings from a different zone and only alter them a little.
A
firewalld
zone configuration file contains the information for a zone. These are the zone description, services, ports, protocols, icmp-blocks, masquerade, forward-ports and rich language rules in an XML file format. The file name has to be zone-name.xml
where the length of zone-name is currently limited to 17 chars. The zone configuration files are located in the /usr/lib/firewalld/zones/
and /etc/firewalld/zones/
directories.
The following example shows a configuration that allows one service (
SSH
) and one port range, for both the TCP
and UDP
protocols.:
<?xml version="1.0" encoding="utf-8"?> <zone> <short>My zone</short> <description>Here you can describe the characteristic features of the zone.</description> <service name="ssh"/> <port port="1025-65535" protocol="tcp"/> <port port="1025-65535" protocol="udp"/> </zone>
To change settings for that zone, add or remove sections to add ports, forward ports, services, and so on. For more information, see the
firewalld.zone
manual pages.
5.7.8. Using Zone Targets to Set Default Behavior for Incoming Traffic
For every zone, you can set a default behavior that handles incoming traffic that is not further specified. Such behaviour is defined by setting the target of the zone. There are three options -
default
, ACCEPT
, REJECT
, and DROP
. By setting the target to ACCEPT
, you accept all incoming packets except those disabled by a specific rule. If you set the target to REJECT
or DROP
, you disable all incoming packets except those that you have allowed in specific rules. When packets are rejected, the source machine is informed about the rejection, while there is no information sent when the packets are dropped.
To set a target for a zone:
- List the information for the specific zone to see the default target:
~]$
firewall-cmd --zone=zone-name --list-all
- Set a new target in the zone:
~]#
firewall-cmd --zone=zone-name --set-target=<default|ACCEPT|REJECT|DROP>