Red Hat Training

A Red Hat training course is available for Red Hat Linux

5.7. Working with Zones

Zones represent a concept to manage incoming traffic more transparently. The zones are connected to networking interfaces or assigned a range of source addresses. You manage firewall rules for each zone independently, which enables you to define complex firewall settings and apply them to the traffic.

5.7.1. Listing Zones

To see which zones are available on your system:
~]# firewall-cmd --get-zones
The firewall-cmd --get-zones command displays all zones that are available on the system, but it does not show any details for particular zones.
To see detailed information for all zones:
~]# firewall-cmd --list-all-zones
To see detailed information for a specific zone:
~]# firewall-cmd --zone=zone-name --list-all

5.7.2. Modifying firewalld Settings for a Certain Zone

The Section 5.6.3, “Controlling Traffic with Predefined Services using CLI” and Section 5.6.6, “Controlling Ports using CLI” explain how to add services or modify ports in the scope of the current working zone. Sometimes, it is required to set up rules in a different zone.
To work in a different zone, use the --zone=zone-name option. For example, to allow the SSH service in the zone public:
~]# firewall-cmd --add-service=ssh --zone=public

5.7.3. Changing the Default Zone

System administrators assign a zone to a networking interface in its configuration files. If an interface is not assigned to a specific zone, it is assigned to the default zone. After each restart of the firewalld service, firewalld loads the settings for the default zone and makes it active.
To set up the default zone:
  1. Display the current default zone:
    ~]# firewall-cmd --get-default-zone
  2. Set the new default zone:
    ~]# firewall-cmd --set-default-zone zone-name

Note

Following this procedure, the setting is a permanent setting, even without the --permanent option.

5.7.4. Assigning a Network Interface to a Zone

It is possible to define different sets of rules for different zones and then change the settings quickly by changing the zone for the interface that is being used. With multiple interfaces, a specific zone can be set for each of them to distinguish traffic that is coming through them.
To assign the zone to a specific interface:
  1. List the active zones and the interfaces assigned to them:
    ~]# firewall-cmd --get-active-zones
  2. Assign the interface to a different zone:
    ~]# firewall-cmd --zone=zone-name --change-interface=<interface-name>

Note

You do not have to use the --permanent option to make the setting persistent across restarts. If you set a new default zone, the setting becomes permanent.

5.7.5. Assigning a Default Zone to a Network Connection

When the connection is managed by NetworkManager, it must be aware of a zone that it uses. For every network connection, a zone can be specified, which provides the flexibility of various firewall settings according to the location of the computer with portable devices. Thus, zones and settings can be specified for different locations, such as company or home.
To set a default zone for an Internet connection, use either the NetworkManager GUI or edit the /etc/sysconfig/network-scripts/ifcfg-connection-name file and add a line that assigns a zone to this connection:
ZONE=zone-name

5.7.6. Creating a New Zone

To use custom zones, create a new zone and use it just like a predefined zone. New zones require the --permanent option, otherwise the command does not work.
To create a new zone:
  1. Create a new zone:
    ~]# firewall-cmd --new-zone=zone-name
  2. Check if the new zone is added to your permanent settings:
    ~]# firewall-cmd --get-zones
  3. Make the new settings persistent:
    ~]# firewall-cmd --runtime-to-permanent

5.7.7. Creating a New Zone using a Configuration File

Zones can also be created using a zone configuration file. This approach can be helpful when you need to create a new zone, but want to reuse the settings from a different zone and only alter them a little.
A firewalld zone configuration file contains the information for a zone. These are the zone description, services, ports, protocols, icmp-blocks, masquerade, forward-ports and rich language rules in an XML file format. The file name has to be zone-name.xml where the length of zone-name is currently limited to 17 chars. The zone configuration files are located in the /usr/lib/firewalld/zones/ and /etc/firewalld/zones/ directories.
The following example shows a configuration that allows one service (SSH) and one port range, for both the TCP and UDP protocols.:
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>My zone</short>
  <description>Here you can describe the characteristic features of the zone.</description>
  <service name="ssh"/>
  <port port="1025-65535" protocol="tcp"/>
  <port port="1025-65535" protocol="udp"/>
</zone>
To change settings for that zone, add or remove sections to add ports, forward ports, services, and so on. For more information, see the firewalld.zone manual pages.

5.7.8. Using Zone Targets to Set Default Behavior for Incoming Traffic

For every zone, you can set a default behavior that handles incoming traffic that is not further specified. Such behaviour is defined by setting the target of the zone. There are three options - default, ACCEPT, REJECT, and DROP. By setting the target to ACCEPT, you accept all incoming packets except those disabled by a specific rule. If you set the target to REJECT or DROP, you disable all incoming packets except those that you have allowed in specific rules. When packets are rejected, the source machine is informed about the rejection, while there is no information sent when the packets are dropped.
To set a target for a zone:
  1. List the information for the specific zone to see the default target:
    ~]$ firewall-cmd --zone=zone-name --list-all
  2. Set a new target in the zone:
    ~]# firewall-cmd --zone=zone-name --set-target=<default|ACCEPT|REJECT|DROP>