Language and Page Formatting Options
5.7. Working with Zones
Zones represent a concept to manage incoming traffic more transparently. The zones are connected to networking interfaces or assigned a range of source addresses. You manage firewall rules for each zone independently, which enables you to define complex firewall settings and apply them to the traffic.
5.7.1. Listing Zones
To see which zones are available on your system:
firewall-cmd --get-zonescommand displays all zones that are available on the system, but it does not show any details for particular zones.
To see detailed information for all zones:
To see detailed information for a specific zone:
firewall-cmd --zone=zone-name --list-all
firewalld Settings for a Certain Zone
The Section 5.6.3, “Controlling Traffic with Predefined Services using CLI” and Section 5.6.6, “Controlling Ports using CLI” explain how to add services or modify ports in the scope of the current working zone. Sometimes, it is required to set up rules in a different zone.
To work in a different zone, use the
--zone=zone-nameoption. For example, to allow the
SSHservice in the zone public:
firewall-cmd --add-service=ssh --zone=public
5.7.3. Changing the Default Zone
System administrators assign a zone to a networking interface in its configuration files. If an interface is not assigned to a specific zone, it is assigned to the default zone. After each restart of the
firewalldloads the settings for the default zone and makes it active.
To set up the default zone:
- Display the current default zone:
- Set the new default zone:
firewall-cmd --set-default-zone zone-name
Following this procedure, the setting is a permanent setting, even without the
5.7.4. Assigning a Network Interface to a Zone
It is possible to define different sets of rules for different zones and then change the settings quickly by changing the zone for the interface that is being used. With multiple interfaces, a specific zone can be set for each of them to distinguish traffic that is coming through them.
To assign the zone to a specific interface:
- List the active zones and the interfaces assigned to them:
- Assign the interface to a different zone:
firewall-cmd --zone=zone-name --change-interface=<interface-name>
You do not have to use the
--permanentoption to make the setting persistent across restarts. If you set a new default zone, the setting becomes permanent.
5.7.5. Assigning a Default Zone to a Network Connection
When the connection is managed by NetworkManager, it must be aware of a zone that it uses. For every network connection, a zone can be specified, which provides the flexibility of various firewall settings according to the location of the computer with portable devices. Thus, zones and settings can be specified for different locations, such as company or home.
To set a default zone for an Internet connection, use either the NetworkManager GUI or edit the
/etc/sysconfig/network-scripts/ifcfg-connection-namefile and add a line that assigns a zone to this connection:
5.7.6. Creating a New Zone
To use custom zones, create a new zone and use it just like a predefined zone.
New zones require the
--permanentoption, otherwise the command does not work.
- Create a new zone:
firewall-cmd --permanent --new-zone=zone-name
- Reload the new zone:
- Check if the new zone is added to your permanent settings:
- Make the new settings persistent:
5.7.7. Creating a New Zone using a Configuration File
Zones can also be created using a zone configuration file. This approach can be helpful when you need to create a new zone, but want to reuse the settings from a different zone and only alter them a little.
firewalldzone configuration file contains the information for a zone. These are the zone description, services, ports, protocols, icmp-blocks, masquerade, forward-ports and rich language rules in an XML file format. The file name has to be
zone-name.xmlwhere the length of zone-name is currently limited to 17 chars. The zone configuration files are located in the
The following example shows a configuration that allows one service (
SSH) and one port range, for both the
<?xml version="1.0" encoding="utf-8"?> <zone> <short>My zone</short> <description>Here you can describe the characteristic features of the zone.</description> <service name="ssh"/> <port port="1025-65535" protocol="tcp"/> <port port="1025-65535" protocol="udp"/> </zone>
To change settings for that zone, add or remove sections to add ports, forward ports, services, and so on. For more information, see the
5.7.8. Using Zone Targets to Set Default Behavior for Incoming Traffic
For every zone, you can set a default behavior that handles incoming traffic that is not further specified. Such behaviour is defined by setting the target of the zone. There are three options -
DROP. By setting the target to
ACCEPT, you accept all incoming packets except those disabled by a specific rule. If you set the target to
DROP, you disable all incoming packets except those that you have allowed in specific rules. When packets are rejected, the source machine is informed about the rejection, while there is no information sent when the packets are dropped.
To set a target for a zone:
- List the information for the specific zone to see the default target:
firewall-cmd --zone=zone-name --list-all
- Set a new target in the zone:
firewall-cmd --zone=zone-name --set-target=<default|ACCEPT|REJECT|DROP>