Creating Customized Zones

You can create zones and then configure the zone's settings for a customized firewall protection.

Using the firewall-cmd Command

As shown in the following example, you can use the firewall-cmd CLI to create an empty zone, which means that no default services are assigned. When configuring a customized zone, you must always include the --permanent option in the command. Otherwise, an error message is generated.

sudo firewall-cmd --permanent --new-zone=testzone
sudo firewall-cmd --permanent --get-zones

block dmz drop external home internal nm-shared public testzone trusted work

sudo firewall-cmd --permanent --info-zone=testzone

testzone
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

Without the --permanent option, the --get-zones option does not display the created zone.

The --info-zone=zone-name option generates the same output as the --list-all option.

To make this zone creation persistent, add the following command:

sudo firewall-cmd --runtime-to-permanent

After creating the zone, you can add services, ports, assign interfaces, and so on, by using the command options that are provided in the previous examples:

sudo firewall-cmd --zone=testzone --add-service=http

Error: INVALID ZONE: testzone

sudo firewall-cmd --permanent --zone=testzone --add-service=http

Ensure that you use the --permanent option when using these commands.

Using a Zone Configuration File

All zones have corresponding configuration files. For the predefined zones that are installed with the operating system, the configuration files are in the /usr/lib/firewalld/zones directory.

When you configure a predefined zone, the configuration file is copied to the /etc/firewalld/zones directory and the changes are stored in that location. If you use a configuration file to create new zones, you must also use /etc/firewalld/zones as the working directory.

If you're creating a zone with only minor differences from the settings of predefined zones, copying an existing configuration file to the working directory is the easiest approach. You can use either of the following commands:

sudo cp /etc/firewalld/zones/existing-conf-file.xml new-zone.xml

sudo cp /usr/lib/firewalld/zones/existing-conf-file.xml /etc/firewalld/zones/new-zone.xml

Then, using a text editor, revise the settings in the new configuration file. The following example shows what the configuration file of testzone might contain. testzone accepts traffic for one service (SSH) and one port range for the TCP and UDP protocols:

<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>testzone</short>
  <description>Put description here</description>
    <service name="ssh"/>
    <port port="1025-65535" protocol="tcp"/>
    <port port="1025-65535" protocol="udp"/>
</zone>