Configuring firewalld Zones
The following tasks describe how to use the
firewall-cmd command to configure firewall
rules for a zone. The rules are then recorded in the
/etc/firewalld hierarchy for
firewalld.
Configuring the firewall means setting all or some of a zone settings to specific values to enable the firewall to control network traffic according to specifications.
Controlling Access to Services
Setting the services of a zone is the default way to configure the
firewall. Each zone has predefined services assigned to it. To configure this setting further,
you either add services to the zone or remove services from the zone.
To list predefined services, use the firewall-cmd --list-services command.
For example, the following command shows that the work zone has the
cockpit, dhcpv6-client, and ssh services
assigned to it:
sudo firewall-cmd --list-services --zone=work
cockpit dhcpv6-client ssh
To open access to a new service, use the --add-service
service option. Optionally, include the --permanent option
to make the rule persistent across reboots.
For example, to add the HTTP and NFS services to the
work zone, you would use the following
command:
sudo firewall-cmd --permanent --zone=work --add-service=http --add-service=nfs sudo firewall-cmd --list-services --zone=work
cockpit dhcpv6-client ssh http nfs
To remove access to a service, use the
--remove-service
service option:
sudo firewall-cmd --permanent --zone=work --remove-service=cockpit sudo firewall-cmd --list-services --zone=work
dhcpv6-client ssh http nfs
Controlling Access to Ports
Network traffic through the zone's services uses the ports of those services. Ports must be opened to accept traffic. You can open more ports for network access by specifying the port number and the associated protocol.
The --list-ports option lists the ports and associated protocols to which
you have explicitly allowed access. However, ports that have been opened as a service aren't
included in this command's output. Therefore, when listing ports, the best practice is to use
the --list-all option to obtain more complete information.
Use the --add-port option to allow access
to specific ports. Ports must be specified by using the format
port-number/port-type.
Port types can be tcp,
udp, sctp, or
dccp. Ensure that the type and the network
traffic match, for example:
sudo firewall-cmd --permanent --zone=work --add-port=5353/udp --add-port=3689/tcp sudo firewall-cmd --list-all --zone=work
work target: default icmp-clock-inversion: no interfaces: sources: services: dhcpv6-client ssh http nfs ports: 5353/udp 3689/tcp ...
Similarly, the --remove-port option removes access to a port. Remember to
use the --permanent option to make the change persist.
For more information, see the
firewall-cmd(1) manual page.
Assigning a Network Interface to a Zone
A system's network interface is automatically assigned to the default zone. In Oracle Linux, you can configure multiple zones with their specific services, ports, and so on. You then activate a specific zone's rules to become operative by assigning the interface to that zone. Thus, you have the flexibility to easily change the firewall rules that are active on the system by reassigning the network interface.
Suppose that you want to activate the firewall configuration
of the work zone. You would assign the
interface to the zone as follows:
sudo firewall-cmd --zone=work --change-interface=enp0s1 firewall-cmd --get-active-zone
work interfaces: enp0s1
Note:
You don't need to use the --permanent option to make the setting persist
across reboots. If you set the zone to be the default zone, as explained in Changing the Default Zone, then the
interface reassignment becomes permanent.
Changing the Default Zone
You can change a system's default zone as follows:
sudo firewall-cmd --set-default-zone=work
You can also verify that the changes have been applied:
firewall-cmd --get-default-zone
To display the entire and final results of the configuration:
sudo firewall-cmd --zone=work --list-all
work (active) target: default interfaces: enp0s1 sources: services: dhcpv6-client ssh http nfs ports: 5353/udp 3689/tcp ...
Setting a Default Rule for Controlling Incoming Traffic
The target setting establishes the default
behavior of the firewall when managing incoming traffic. This
zone setting is automatically configured to
default for all the predefined zones. To
change the default behavior of a zone, use the following
command;
sudo firewall-cmd --zone=zone-name --set-target=ACCEPT|REJECT|DROPYou can specify the following options:
-
ACCEPTaccpets all incoming traffic except those you have set to be rejected in another rule. -
REJECTblocks all incoming traffic except those you have allowed in another rule. The source machine is informed about the rejecion. -
DROPis similar toREJECTbut no notice of the rejection is sent to the source machine.
Managing Incoming Traffic Based on Sources
You can manage incoming traffic to a zone based on the traffic source. The two following two zone settings enable you to specify the origin of the packets:
-
sourceidentifies the sending node or network. -
source-portsidentifies the port from which traffic originates.
To accept incoming traffic from a sending node, use the following command:
sudo firewall-cmd --zone=zone-name --add-source=IP-address
Note that the IP address can include the netmask in CIDR
notation, such as 192.0.2.0/24.
Run the following command to transform the current runtime ruleset to a permanent ruleset:
sudo firewall-cmd --runtime-to-permanent
Omit this command if you're setting a temporary configuration that's dropped if the system is rebooted.
The following similar syntax is used to set the
source-port setting. However, you identify
the source port by specifying the sending port number and the
protocol type, for example:
sudo firewall-cmd --zone=zone-name --add-source-ports=port-number/tcp|udp|sctp|dccp
You can combine different settings to configure the firewall. The trusted
zone can be configured to accept HTTP traffic from the 192.0.2.0 network
source, as shown in the following example:
sudo firewall-cmd --zone=trusted --add-source=192.0.2.0/24 sudo firewall-cmd --zone=trusted --add-service=http sudo firewall-cmd --zone=trusted --list-all
trusted (active) target: ACCEPT sources: 192.0.2.0/24 services: http