Red Hat SummitChapter 22. Configuring zone priorities for traffic classification by using firewalld
With zone priorities, you can control the packet classification order by specifying priorities for ingress and egress traffic. The benefit is that you can specify the traffic classification order in a zone. So, zone A may be considered before zone B regardless of the source address or interfaces. A zone of a lower priority value has higher precedence over a zone with a higher priority value. This classification has a pair of ingress priority value and egress priority value.
22.1. Setting same priority value for both traffic types in a zone
By using the --set-priority option, you can set a common value for both ingress and egress traffic classification without explicit specification.
Prerequisites
Create a new zone:
firewall-cmd --permanent --new-zone=example-zone
# firewall-cmd --permanent --new-zone=example-zoneCopy to Clipboard Copied! Set a common zone priority value for the
example-zonezone with--set-priority:firewall-cmd --permanent --zone example-zone --set-priority -10
# firewall-cmd --permanent --zone example-zone --set-priority -10Copy to Clipboard Copied! By setting a lower value ensures the higher precedence. This ensures that all configured operations for both traffic types in this zone will take precedence over operations from other zones.
Apply permanent configuration to runtime:
firewall-cmd --reload
# firewall-cmd --reloadCopy to Clipboard Copied!
Verification
Display the priority value for both traffic types:
firewall-cmd --permanent --info-zone example-zone
# firewall-cmd --permanent --info-zone example-zone example-zone target: default ingress-priority: -10 egress-priority: -10 ... icmp-block-inversion: no ... services: dhcpv6-client mdns samba-client ssh ... forward: yes masquerade: no ...Copy to Clipboard Copied! This setting ensures that the traffic will be considered for classification into the
example-zonebefore other zones.
22.2. Setting different priority value for each traffic type in a zone
By setting distinct values for ingress and egress traffic, you can set priorities for the traffic classification in a zone.
Procedure
Create a new zone:
firewall-cmd --permanent --new-zone=example-zone
# firewall-cmd --permanent --new-zone=example-zoneCopy to Clipboard Copied! Set a zone priority value for
ingresstraffic in theexample-zonezone with--set-ingress-priority:firewall-cmd --permanent --zone example-zone --set-ingress-priority -10
# firewall-cmd --permanent --zone example-zone --set-ingress-priority -10Copy to Clipboard Copied! Set a zone priority value for
egresstraffic in theexample-zonezone with--set-egress-priority:firewall-cmd --permanent --zone example-zone --set-egress-priority 100
# firewall-cmd --permanent --zone example-zone --set-egress-priority 100Copy to Clipboard Copied! Apply permanent configuration to runtime:
firewall-cmd --reload
# firewall-cmd --reloadCopy to Clipboard Copied!
Verification
Display the priority value for both traffic types:
firewall-cmd --permanent --info-zone example-zone
# firewall-cmd --permanent --info-zone example-zone example-zone (active) target: default ingress-priority: -10 egress-priority: 100 icmp-block-inversion: no interfaces: eth0 ... services: dhcpv6-client mdns samba-client ssh ... forward: yes masquerade: no ...Copy to Clipboard Copied! These values indicate that the
ingresstraffic has priority over theegresstraffic in theexample-zonezone before other zones.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}