5.8. Using Zones to Manage Incoming Traffic Depending on Source

You can use zones to manage incoming traffic based on its source. That enables you to sort incoming traffic and route it through different zones to allow or disallow services that can be reached by that traffic.
If you add a source to a zone, the zone becomes active and any incoming traffic from that source will be directed through it. You can specify different settings for each zone, which is applied to the traffic from the given sources accordingly. You can use more zones even if you only have one network interface.

5.8.1. Adding a Source

To route incoming traffic into a specific source, add the source to that zone. The source can be an IP address or an IP mask in the Classless Inter-domain Routing (CIDR) notation.
  1. To set the source in the current zone:
    ~]# firewall-cmd --add-source=<source>
  2. To set the source IP address for a specific zone:
    ~]# firewall-cmd --zone=zone-name --add-source=<source>
The following procedure allows all incoming traffic from in the trusted zone:
  1. List all available zones:
    ~]# firewall-cmd --get-zones
  2. Add the source IP to the trusted zone in the permanent mode:
    ~]# firewall-cmd --zone=trusted --add-source=
  3. Make the new settings persistent:
    ~]# firewall-cmd --runtime-to-permanent

5.8.2. Removing a Source

Removing a source from the zone cuts off the traffic coming from it.
  1. List allowed sources for the required zone:
    ~]# firewall-cmd --zone=zone-name --list-sources
  2. Remove the source from the zone permanently:
    ~]# firewall-cmd --zone=zone-name --remove-source=<source>
  3. Make the new settings persistent:
    ~]# firewall-cmd --runtime-to-permanent

5.8.3. Adding a Source Port

To enable sorting the traffic based on a port of origin, specify a source port using the --add-source-port option. You can also combine this with the --add-source option to limit the traffic to a certain IP address or IP range.
To add a source port:
~]# firewall-cmd --zone=zone-name --add-source-port=<port-name>/<tcp|udp|sctp|dccp>

5.8.4. Removing a Source Port

By removing a source port you disable sorting the traffic based on a port of origin.
To remove a source port:
~]# firewall-cmd --zone=zone-name --remove-source-port=<port-name>/<tcp|udp|sctp|dccp>

5.8.5. Using Zones and Sources to Allow a Service for Only a Specific Domain

To allow traffic from a specific network to use a service on a machine, use zones and source.
For example, to allow traffic from to be able to reach the HTTP service while any other traffic is blocked:
  1. List all available zones:
    ~]# firewall-cmd --get-zones
    block dmz drop external home internal public trusted work
  2. Add the source to the trusted zone to route the traffic originating from the source through the zone:
    ~]# firewall-cmd --zone=trusted --add-source=
  3. Add the http service in the trusted zone:
    ~]# firewall-cmd --zone=trusted -add-service=http 
  4. Make the new settings persistent:
    ~]# firewall-cmd --runtime-to-permanent
  5. Check that the trusted zone is active and that the service is allowed in it:
    ~]# firewall-cmd --zone=trusted --list-all
    trusted (active)
    target: ACCEPT
    services: http

5.8.6. Configuring Traffic Accepted by a Zone Based on Protocol

You can allow incoming traffic to be accepted by a zone based on the protocol. All traffic using the specified protocol is accepted by a zone, in which you can apply further rules and filtering.

Adding a Protocol to a Zone

By adding a protocol to a certain zone, you allow all traffic with this protocol to be accepted by this zone.
To add a protocol to a zone:
~]# firewall-cmd --zone=zone-name --add-protocol=port-name/tcp|udp|sctp|dccp|igmp


To receive multicast traffic, use the igmp value with the --add-protocol option.

Removing a Protocol from a Zone

By removing a protocol from a certain zone, you stop accepting all traffic based on this protocol by the zone.
To remove a protocol from a zone:
~]# firewall-cmd --zone=zone-name --remove-protocol=port-name/tcp|udp|sctp|dccp|igmp