5.8. Using Zones to Manage Incoming Traffic Depending on Source

You can use zones to manage incoming traffic based on its source. That enables you to sort incoming traffic and route it through different zones to allow or disallow services that can be reached by that traffic.

If you add a source to a zone, the zone becomes active and any incoming traffic from that source will be directed through it. You can specify different settings for each zone, which is applied to the traffic from the given sources accordingly. You can use more zones even if you only have one network interface.

5.8.1. Adding a Source

To route incoming traffic into a specific source, add the source to that zone. The source can be an IP address or an IP mask in the Classless Inter-domain Routing (CIDR) notation.

To set the source in the current zone:
```
~]# firewall-cmd --add-source=<source>
```

To set the source IP address for a specific zone:

~]# firewall-cmd --zone=zone-name --add-source=<source>

The following procedure allows all incoming traffic from 192.168.2.15 in the trusted zone:

List all available zones:
```
~]# firewall-cmd --get-zones
```
Add the source IP to the trusted zone in the permanent mode:
```
~]# firewall-cmd --zone=trusted --add-source=192.168.2.15
```
Make the new settings persistent:
```
~]# firewall-cmd --runtime-to-permanent
```

5.8.2. Removing a Source

Removing a source from the zone cuts off the traffic coming from it.

List allowed sources for the required zone:

~]# firewall-cmd --zone=zone-name --list-sources

Remove the source from the zone permanently:

~]# firewall-cmd --zone=zone-name --remove-source=<source>

Make the new settings persistent:
```
~]# firewall-cmd --runtime-to-permanent
```

5.8.3. Adding a Source Port

To enable sorting the traffic based on a port of origin, specify a source port using the --add-source-port option. You can also combine this with the --add-source option to limit the traffic to a certain IP address or IP range.

To add a source port:

~]# firewall-cmd --zone=zone-name --add-source-port=<port-name>/<tcp|udp|sctp|dccp>

5.8.4. Removing a Source Port

By removing a source port you disable sorting the traffic based on a port of origin.

To remove a source port:

~]# firewall-cmd --zone=zone-name --remove-source-port=<port-name>/<tcp|udp|sctp|dccp>

5.8.5. Using Zones and Sources to Allow a Service for Only a Specific Domain

To allow traffic from a specific network to use a service on a machine, use zones and source.

For example, to allow traffic from 192.168.1.0/24 to be able to reach the HTTP service while any other traffic is blocked:

List all available zones:

~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work

Add the source to the trusted zone to route the traffic originating from the source through the zone:
```
~]# firewall-cmd --zone=trusted --add-source=192.168.1.0/24
```

Add the http service in the trusted zone:

~]# firewall-cmd --zone=trusted -add-service=http

Make the new settings persistent:
```
~]# firewall-cmd --runtime-to-permanent
```

Check that the trusted zone is active and that the service is allowed in it:

~]# firewall-cmd --zone=trusted --list-all
trusted (active)
target: ACCEPT
sources: 192.168.1.0/24
services: http

5.8.6. Configuring Traffic Accepted by a Zone Based on Protocol

You can allow incoming traffic to be accepted by a zone based on the protocol. All traffic using the specified protocol is accepted by a zone, in which you can apply further rules and filtering.

Adding a Protocol to a Zone

By adding a protocol to a certain zone, you allow all traffic with this protocol to be accepted by this zone.

To add a protocol to a zone:

~]# firewall-cmd --zone=zone-name --add-protocol=port-name/tcp|udp|sctp|dccp|igmp

Note

To receive multicast traffic, use the igmp value with the --add-protocol option.

Removing a Protocol from a Zone

By removing a protocol from a certain zone, you stop accepting all traffic based on this protocol by the zone.

To remove a protocol from a zone:

~]# firewall-cmd --zone=zone-name --remove-protocol=port-name/tcp|udp|sctp|dccp|igmp

Where did the comment section go?

Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories

Red Hat Training

5.8. Using Zones to Manage Incoming Traffic Depending on Source

5.8.1. Adding a Source

5.8.2. Removing a Source

5.8.3. Adding a Source Port

5.8.4. Removing a Source Port

5.8.5. Using Zones and Sources to Allow a Service for Only a Specific Domain

5.8.6. Configuring Traffic Accepted by a Zone Based on Protocol

Adding a Protocol to a Zone

Removing a Protocol from a Zone

Where did the comment section go?