Manage Multiple Firewall Zones
Provides a tutorial example on how to manage multiple firewall zones on CentOS 8 systems.
By default, "firewalld" service supports a single active firewall zone called "public"
on CentOS systems.
For some situations, you may need to activate additional zones or add custom zones,
if you want set up different permissions for different source IP addresses.
What Is Firewall Zone? -
A firewall zone is a name permission rules for specific source IP addresses and/or IP address ranges.
"firewalld" service has pre-defined the following zones:
- drop -
Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.
- block -
Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated within this system are possible.
- public -
For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
- external -
For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
- dmz -
For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.
- work -
For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
- home -
For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
- internal -
For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.
- trusted -
All network connections are accepted.
Here some basic rules on how zones are used by "firewalld" service.
- Each zone can be defined with a set of specific source IP addresses or IP address ranges.
- Any given source IP address can be defined in more than one zone.
- One zone must defined as the "default" zone.
- An active zone must have source IP address or network interface defined.
- When an incoming request is received, "firewalld" uses its source IP address
to find an active zone that matches the IP address.
- If no matched zone found, the "default" zone will be used as the matched zone.
- Permission rules in the matched zone will be applied to the incoming request.
Here are the commands to see the default zone and other active zones:
herong$ sudo firewall-cmd --get-active-zones
herong$ sudo firewall-cmd --get-default-zone
herong$ sudo firewall-cmd --get-zones
block dmz drop external home internal libvirt nm-shared
public trusted work
You can use "firewall-cmd" to see permission rules of a given zone:
herong$ sudo firewall-cmd --zone=public --list-all
You can also get the XML file that defines a given zone.
Note that inactive zones do not have XML files.
herong$ sudo cat /etc/firewalld/zones/public.xml
<description>For use in public areas...</description>
<port port="80" protocol="tcp"/>
Other examples of firewall-cmd commands are:
sudo firewall-cmd --set-default-zone=work
sudo firewall-cmd --permanent --zone=public --set-target=DROP
sudo firewall-cmd --permanent --zone=public --remove-service=http
sudo firewall-cmd --permanent --zone=public --remove-port=80/tcp
sudo firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" \
source address="192.168.1.0/24" service name="http" accept'
Table of Contents
About This Book
Introduction to Linux Systems
Cockpit - Web Portal for Administrator
Files and Directories
Users and Groups
Block Devices and Partitions
LVM (Logical Volume Manager)
SELinux - Security-Enhanced Linux
►Network Connection on CentOS
Setup Ethernet Connection on CentOS
Network Firewall Tools on CentOS
"firewalld" and "firewall-cmd" on CentOS
►Manage Multiple Firewall Zones
"nftables" and "nft" on CentOS
"iptables" Command on CentOS
"nmap" - Network Mapper on CentOS
Monitor Network Services on CentOS
"ifconfig" - Trace Routes to Remote Host
"traceroute" - Trace Routes to Remote Host
"route" - Upate Routing Table
"netstat" - Display Network Statistics
"lsof" - List of Open Files
Software Package Manager on CentOS - DNF and YUM
Running Apache Web Server (httpd) on Linux Systems
Running PHP Scripts on Linux Systems
Running MySQL Database Server on Linux Systems
Running Python Scripts on Linux Systems
vsftpd - Very Secure FTP Daemon
Postfix - Mail Transport Agent (MTA)
Dovecot - IMAP and POP3 Server
Email Client Tools - Mail User Agents (MUA)
LDAP (Lightweight Directory Access Protocol)
GCC - C/C++ Compiler
Graphics Environments on Linux
Conda - Environment and Package Manager
Tools and Utilities
Full Version in PDF/EPUB