Manage Multiple Firewall Zones

Provides a tutorial example on how to manage multiple firewall zones on CentOS 8 systems.

By default, "firewalld" service supports a single active firewall zone called "public" on CentOS systems. For some situations, you may need to activate additional zones or add custom zones, if you want set up different permissions for different source IP addresses.

What Is Firewall Zone? - A firewall zone is a name permission rules for specific source IP addresses and/or IP address ranges.

"firewalld" service has pre-defined the following zones:

Here some basic rules on how zones are used by "firewalld" service.

Here are the commands to see the default zone and other active zones:

herong$ sudo firewall-cmd --get-active-zones
  internal
    sources: 192.168.1.0/24
  work
    sources: 192.168.2.0/24
  external
    sources: 192.168.3.0/24
  public
    interfaces: eno1

herong$ sudo firewall-cmd --get-default-zone
  public

herong$ sudo firewall-cmd --get-zones
  block dmz drop external home internal libvirt nm-shared
  public trusted work

You can use "firewall-cmd" to see permission rules of a given zone:

herong$ sudo firewall-cmd --zone=public --list-all
  public (active)
    target: DROP
    icmp-block-inversion: no
    interfaces: eno1
    sources:
    services:
    ports: 80/tcp
    protocols:
    masquerade: no
    forward-ports:
    source-ports:
    icmp-blocks:
    rich rules:

You can also get the XML file that defines a given zone. Note that inactive zones do not have XML files.

herong$ sudo cat /etc/firewalld/zones/public.xml

<zone target="DROP">
  <short>Public</short>
  <description>For use in public areas...</description>
  <port port="80" protocol="tcp"/>
</zone>

Other examples of firewall-cmd commands are:

sudo firewall-cmd --set-default-zone=work
sudo firewall-cmd --permanent --zone=public --set-target=DROP
sudo firewall-cmd --permanent --zone=public --remove-service=http
sudo firewall-cmd --permanent --zone=public --remove-port=80/tcp
sudo firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" \
  source address="192.168.1.0/24" service name="http" accept'

Table of Contents

 About This Book

 Introduction to Linux Systems

 Cockpit - Web Portal for Administrator

 Process Management

 Files and Directories

 Users and Groups

 File Systems

 Block Devices and Partitions

 LVM (Logical Volume Manager)

 Installing CentOS

 SELinux - Security-Enhanced Linux

Network Connection on CentOS

 Setup Ethernet Connection on CentOS

 Network Firewall Tools on CentOS

 "firewalld" and "firewall-cmd" on CentOS

Manage Multiple Firewall Zones

 "nftables" and "nft" on CentOS

 "iptables" Command on CentOS

 "nmap" - Network Mapper on CentOS

 Monitor Network Services on CentOS

 "ifconfig" - Trace Routes to Remote Host

 "traceroute" - Trace Routes to Remote Host

 "route" - Upate Routing Table

 "netstat" - Display Network Statistics

 "lsof" - List of Open Files

 Software Package Manager on CentOS - DNF and YUM

 Running Apache Web Server (httpd) on Linux Systems

 Running PHP Scripts on Linux Systems

 Running MySQL Database Server on Linux Systems

 Running Python Scripts on Linux Systems

 vsftpd - Very Secure FTP Daemon

 Postfix - Mail Transport Agent (MTA)

 Dovecot - IMAP and POP3 Server

 Email Client Tools - Mail User Agents (MUA)

 LDAP (Lightweight Directory Access Protocol)

 GCC - C/C++ Compiler

 Graphics Environments on Linux

 Conda - Environment and Package Manager

 Tools and Utilities

 Administrative Tasks

 References

 Full Version in PDF/EPUB