Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

5.8. Using Zones to Manage Incoming Traffic Depending on Source

You can use zones to manage incoming traffic based on its source. That enables you to sort incoming traffic and route it through different zones to allow or disallow services that can be reached by that traffic.
If you add a source to a zone, the zone becomes active and any incoming traffic from that source will be directed through it. You can specify different settings for each zone, which is applied to the traffic from the given sources accordingly. You can use more zones even if you only have one network interface.

5.8.1. Adding a Source

To route incoming traffic into a specific source, add the source to that zone. The source can be an IP address or an IP mask in the Classless Inter-domain Routing (CIDR) notation.
  1. To set the source in the current zone:
    ~]# firewall-cmd --add-source=<source>
  2. To set the source IP address for a specific zone:
    ~]# firewall-cmd --zone=zone-name --add-source=<source>
The following procedure allows all incoming traffic from 192.168.2.15 in the trusted zone:
  1. List all available zones:
    ~]# firewall-cmd --get-zones
  2. Add the source IP to the trusted zone in the permanent mode:
    ~]# firewall-cmd --zone=trusted --add-source=192.168.2.15
  3. Make the new settings persistent:
    ~]# firewall-cmd --runtime-to-permanent

5.8.2. Removing a Source

Removing a source from the zone cuts off the traffic coming from it.
  1. List allowed sources for the required zone:
    ~]# firewall-cmd --zone=zone-name --list-sources
  2. Remove the source from the zone permanently:
    ~]# firewall-cmd --zone=zone-name --remove-source=<source>
  3. Make the new settings persistent:
    ~]# firewall-cmd --runtime-to-permanent

5.8.3. Adding a Source Port

To enable sorting the traffic based on a port of origin, specify a source port using the --add-source-port option. You can also combine this with the --add-source option to limit the traffic to a certain IP address or IP range.
To add a source port:
~]# firewall-cmd --zone=zone-name --add-source-port=<port-name>/<tcp|udp|sctp|dccp>

5.8.4. Removing a Source Port

By removing a source port you disable sorting the traffic based on a port of origin.
To remove a source port:
~]# firewall-cmd --zone=zone-name --remove-source-port=<port-name>/<tcp|udp|sctp|dccp>

5.8.5. Using Zones and Sources to Allow a Service for Only a Specific Domain

To allow traffic from a specific network to use a service on a machine, use zones and source. The following procedure allows only HTTP traffic from the 192.0.2.0/24 network while any other traffic is blocked.

Warning

When you configure this scenario, use a zone that has the default target. Using a zone that has the target set to ACCEPT is a security risk, because for traffic from 192.0.2.0/24, all network connections would be accepted.
  1. List all available zones:
    ~]# firewall-cmd --get-zones
    block dmz drop external home internal public trusted work
  2. Add the IP range to the internal zone to route the traffic originating from the source through the zone:
    ~]# firewall-cmd --zone=internal --add-source=192.0.2.0/24
  3. Add the http service to the internal zone:
    ~]# firewall-cmd --zone=internal --add-service=http
  4. Make the new settings persistent:
    ~]# firewall-cmd --runtime-to-permanent
  5. Check that the internal zone is active and that the service is allowed in it:
    ~]# firewall-cmd --zone=internal --list-all
    internal (active)
      target: default
      icmp-block-inversion: no
      interfaces:
      sources: 192.0.2.0/24
      services: dhcpv6-client mdns samba-client ssh http
      ...

5.8.6. Configuring Traffic Accepted by a Zone Based on Protocol

You can allow incoming traffic to be accepted by a zone based on the protocol. All traffic using the specified protocol is accepted by a zone, in which you can apply further rules and filtering.

Adding a Protocol to a Zone

By adding a protocol to a certain zone, you allow all traffic with this protocol to be accepted by this zone.
To add a protocol to a zone:
~]# firewall-cmd --zone=zone-name --add-protocol=port-name/tcp|udp|sctp|dccp|igmp

Note

To receive multicast traffic, use the igmp value with the --add-protocol option.

Removing a Protocol from a Zone

By removing a protocol from a certain zone, you stop accepting all traffic based on this protocol by the zone.
To remove a protocol from a zone:
~]# firewall-cmd --zone=zone-name --remove-protocol=port-name/tcp|udp|sctp|dccp|igmp