Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

5.7. Working with Zones

Zones represent a concept to manage incoming traffic more transparently. The zones are connected to networking interfaces or assigned a range of source addresses. You manage firewall rules for each zone independently, which enables you to define complex firewall settings and apply them to the traffic.

5.7.1. Listing Zones

To see which zones are available on your system:
Copy to Clipboard Toggle word wrap 
~]# firewall-cmd --get-zones
The firewall-cmd --get-zones command displays all zones that are available on the system, but it does not show any details for particular zones.
To see detailed information for all zones:
Copy to Clipboard Toggle word wrap 
~]# firewall-cmd --list-all-zones
To see detailed information for a specific zone:
Copy to Clipboard Toggle word wrap 
~]# firewall-cmd --zone=zone-name --list-all

5.7.2. Modifying firewalld Settings for a Certain Zone

The Section 5.6.3, “Controlling Traffic with Predefined Services using CLI” and Section 5.6.6, “Controlling Ports using CLI” explain how to add services or modify ports in the scope of the current working zone. Sometimes, it is required to set up rules in a different zone.
To work in a different zone, use the --zone=zone-name option. For example, to allow the SSH service in the zone public:
Copy to Clipboard Toggle word wrap 
~]# firewall-cmd --add-service=ssh --zone=public

5.7.3. Changing the Default Zone

System administrators assign a zone to a networking interface in its configuration files. If an interface is not assigned to a specific zone, it is assigned to the default zone. After each restart of the firewalld service, firewalld loads the settings for the default zone and makes it active.
To set up the default zone:
  1. Display the current default zone:
    Copy to Clipboard Toggle word wrap 
    ~]# firewall-cmd --get-default-zone
  2. Set the new default zone:
    Copy to Clipboard Toggle word wrap 
    ~]# firewall-cmd --set-default-zone zone-name

Note

Following this procedure, the setting is a permanent setting, even without the --permanent option.

5.7.4. Assigning a Network Interface to a Zone

It is possible to define different sets of rules for different zones and then change the settings quickly by changing the zone for the interface that is being used. With multiple interfaces, a specific zone can be set for each of them to distinguish traffic that is coming through them.
To assign the zone to a specific interface:
  1. List the active zones and the interfaces assigned to them:
    Copy to Clipboard Toggle word wrap 
    ~]# firewall-cmd --get-active-zones
  2. Assign the interface to a different zone:
    Copy to Clipboard Toggle word wrap 
    ~]# firewall-cmd --zone=zone-name --change-interface=<interface-name>

Note

You do not have to use the --permanent option to make the setting persistent across restarts. If you set a new default zone, the setting becomes permanent.

5.7.5. Assigning a Default Zone to a Network Connection

When the connection is managed by NetworkManager, it must be aware of a zone that it uses. For every network connection, a zone can be specified, which provides the flexibility of various firewall settings according to the location of the computer with portable devices. Thus, zones and settings can be specified for different locations, such as company or home.
To set a default zone for an Internet connection, use either the NetworkManager GUI or edit the /etc/sysconfig/network-scripts/ifcfg-connection-name file and add a line that assigns a zone to this connection:
Copy to Clipboard Toggle word wrap 
ZONE=zone-name

5.7.6. Creating a New Zone

To use custom zones, create a new zone and use it just like a predefined zone.

Note

New zones require the --permanent option, otherwise the command does not work.
  1. Create a new zone:
    Copy to Clipboard Toggle word wrap 
    ~]# firewall-cmd --permanent --new-zone=zone-name
  2. Reload the new zone:
    Copy to Clipboard Toggle word wrap 
    ~]# firewall-cmd --reload
  3. Check if the new zone is added to your permanent settings:
    Copy to Clipboard Toggle word wrap 
    ~]# firewall-cmd --get-zones
  4. Make the new settings persistent:
    Copy to Clipboard Toggle word wrap 
    ~]# firewall-cmd --runtime-to-permanent

5.7.7. Creating a New Zone using a Configuration File

Zones can also be created using a zone configuration file. This approach can be helpful when you need to create a new zone, but want to reuse the settings from a different zone and only alter them a little.
A firewalld zone configuration file contains the information for a zone. These are the zone description, services, ports, protocols, icmp-blocks, masquerade, forward-ports and rich language rules in an XML file format. The file name has to be zone-name.xml where the length of zone-name is currently limited to 17 chars. The zone configuration files are located in the /usr/lib/firewalld/zones/ and /etc/firewalld/zones/ directories.
The following example shows a configuration that allows one service (SSH) and one port range, for both the TCP and UDP protocols.:
Copy to Clipboard Toggle word wrap 
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>My zone</short>
  <description>Here you can describe the characteristic features of the zone.</description>
  <service name="ssh"/>
  <port port="1025-65535" protocol="tcp"/>
  <port port="1025-65535" protocol="udp"/>
</zone>
To change settings for that zone, add or remove sections to add ports, forward ports, services, and so on. For more information, see the firewalld.zone manual pages.

5.7.8. Using Zone Targets to Set Default Behavior for Incoming Traffic

For every zone, you can set a default behavior that handles incoming traffic that is not further specified. Such behaviour is defined by setting the target of the zone. There are three options - default, ACCEPT, REJECT, and DROP. By setting the target to ACCEPT, you accept all incoming packets except those disabled by a specific rule. If you set the target to REJECT or DROP, you disable all incoming packets except those that you have allowed in specific rules. When packets are rejected, the source machine is informed about the rejection, while there is no information sent when the packets are dropped.
To set a target for a zone:
  1. List the information for the specific zone to see the default target:
    Copy to Clipboard Toggle word wrap 
    ~]$ firewall-cmd --zone=zone-name --list-all
  2. Set a new target in the zone:
    Copy to Clipboard Toggle word wrap 
    ~]# firewall-cmd --zone=zone-name --set-target=<default|ACCEPT|REJECT|DROP>
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat, Inc.