Show Table of Contents
5.8. Using Zones to Manage Incoming Traffic Depending on Source
You can use zones to manage incoming traffic based on its source. That enables you to sort incoming traffic and route it through different zones to allow or disallow services that can be reached by that traffic.
If you add a source to a zone, the zone becomes active and any incoming traffic from that source will be directed through it. You can specify different settings for each zone, which is applied to the traffic from the given sources accordingly. You can use more zones even if you only have one network interface.
5.8.1. Adding a Source
To route incoming traffic into a specific source, add the source to that zone. The source can be an IP address or an IP mask in the Classless Inter-domain Routing (CIDR) notation.
- To set the source in the current zone:
~]#
firewall-cmd --add-source=<source> - To set the source IP address for a specific zone:
~]#
firewall-cmd --zone=zone-name --add-source=<source>
The following procedure allows all incoming traffic from 192.168.2.15 in the
trusted zone:
- List all available zones:
~]#
firewall-cmd --get-zones - Add the source IP to the trusted zone in the permanent mode:
~]#
firewall-cmd --zone=trusted --add-source=192.168.2.15 - Make the new settings persistent:
~]#
firewall-cmd --runtime-to-permanent
5.8.2. Removing a Source
Removing a source from the zone cuts off the traffic coming from it.
- List allowed sources for the required zone:
~]#
firewall-cmd --zone=zone-name --list-sources - Remove the source from the zone permanently:
~]#
firewall-cmd --zone=zone-name --remove-source=<source> - Make the new settings persistent:
~]#
firewall-cmd --runtime-to-permanent
5.8.3. Adding a Source Port
To enable sorting the traffic based on a port of origin, specify a source port using the
--add-source-port option. You can also combine this with the --add-source option to limit the traffic to a certain IP address or IP range.
To add a source port:
~]# firewall-cmd --zone=zone-name --add-source-port=<port-name>/<tcp|udp|sctp|dccp>5.8.4. Removing a Source Port
By removing a source port you disable sorting the traffic based on a port of origin.
To remove a source port:
~]# firewall-cmd --zone=zone-name --remove-source-port=<port-name>/<tcp|udp|sctp|dccp>5.8.5. Using Zones and Sources to Allow a Service for Only a Specific Domain
To allow traffic from a specific network to use a service on a machine, use zones and source.
For example, to allow traffic from 192.168.1.0/24 to be able to reach the HTTP service while any other traffic is blocked:
- List all available zones:
~]#
firewall-cmd --get-zonesblock dmz drop external home internal public trusted work - Add the source to the trusted zone to route the traffic originating from the source through the zone:
~]#
firewall-cmd --zone=trusted --add-source=192.168.1.0/24 - Add the http service in the trusted zone:
~]#
firewall-cmd --zone=trusted -add-service=http - Make the new settings persistent:
~]#
firewall-cmd --runtime-to-permanent - Check that the trusted zone is active and that the service is allowed in it:
~]#
firewall-cmd --zone=trusted --list-alltrusted (active) target: ACCEPT sources: 192.168.1.0/24 services: http
5.8.6. Configuring Traffic Accepted by a Zone Based on Protocol
You can allow incoming traffic to be accepted by a zone based on the protocol. All traffic using the specified protocol is accepted by a zone, in which you can apply further rules and filtering.
Adding a Protocol to a Zone
By adding a protocol to a certain zone, you allow all traffic with this protocol to be accepted by this zone.
To add a protocol to a zone:
~]# firewall-cmd --zone=zone-name --add-protocol=port-name/tcp|udp|sctp|dccp|igmpNote
To receive multicast traffic, use the
igmp value with the --add-protocol option.
Removing a Protocol from a Zone
By removing a protocol from a certain zone, you stop accepting all traffic based on this protocol by the zone.
To remove a protocol from a zone:
~]# firewall-cmd --zone=zone-name --remove-protocol=port-name/tcp|udp|sctp|dccp|igmp