Linux Tutorials - Herong's Tutorial Examples

∟Network Connection on CentOS

∟Manage Multiple Firewall Zones

This section provides a tutorial example on how to manage multiple firewall zones on CentOS 8 systems.

By default, "firewalld" service supports a single active firewall zone called "public" on CentOS systems. For some situations, you may need to activate additional zones or add custom zones, if you want set up different permissions for different source IP addresses.

What Is Firewall Zone? - A firewall zone is a name permission rules for specific source IP addresses and/or IP address ranges.

"firewalld" service has pre-defined the following zones:

• drop - Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.
• block - Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated within this system are possible.
• public - For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
• external - For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
• dmz - For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.
• work - For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
• home - For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
• internal - For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.
• trusted - All network connections are accepted.

Here some basic rules on how zones are used by "firewalld" service.

• Each zone can be defined with a set of specific source IP addresses or IP address ranges.
• Any given source IP address can be defined in more than one zone.
• One zone must defined as the "default" zone.
• An active zone must have source IP address or network interface defined.
• When an incoming request is received, "firewalld" uses its source IP address to find an active zone that matches the IP address.
• If no matched zone found, the "default" zone will be used as the matched zone.
• Permission rules in the matched zone will be applied to the incoming request.

Here are the commands to see the default zone and other active zones:

herong$ sudo firewall-cmd --get-active-zones
  internal
    sources: 192.168.1.0/24
  work
    sources: 192.168.2.0/24
  external
    sources: 192.168.3.0/24
  public
    interfaces: eno1

herong$ sudo firewall-cmd --get-default-zone
  public

herong$ sudo firewall-cmd --get-zones
  block dmz drop external home internal libvirt nm-shared
  public trusted work

You can use "firewall-cmd" to see permission rules of a given zone:

herong$ sudo firewall-cmd --zone=public --list-all
  public (active)
    target: DROP
    icmp-block-inversion: no
    interfaces: eno1
    sources:
    services:
    ports: 80/tcp
    protocols:
    masquerade: no
    forward-ports:
    source-ports:
    icmp-blocks:
    rich rules:

You can also get the XML file that defines a given zone. Note that inactive zones do not have XML files.

herong$ sudo cat /etc/firewalld/zones/public.xml

<zone target="DROP">
  <short>Public</short>
  <description>For use in public areas...</description>
  <port port="80" protocol="tcp"/>
</zone>

Other examples of firewall-cmd commands are:

sudo firewall-cmd --set-default-zone=work
sudo firewall-cmd --permanent --zone=public --set-target=DROP
sudo firewall-cmd --permanent --zone=public --remove-service=http
sudo firewall-cmd --permanent --zone=public --remove-port=80/tcp
sudo firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" \
  source address="192.168.1.0/24" service name="http" accept'

Table of Contents

 About This Book

 Introduction to Linux Systems

 Cockpit - Web Portal for Administrator

 Process Management

 Files and Directories

 Users and Groups

 File Systems

 Block Devices and Partitions

 LVM (Logical Volume Manager)

 Installing CentOS

 SELinux - Security-Enhanced Linux

►Network Connection on CentOS

 Setup Ethernet Connection on CentOS

 Network Firewall Tools on CentOS

 "firewalld" and "firewall-cmd" on CentOS

►Manage Multiple Firewall Zones

 "nftables" and "nft" on CentOS

 "iptables" Command on CentOS

 "nmap" - Network Mapper on CentOS

 Monitor Network Services on CentOS

 "ifconfig" - Trace Routes to Remote Host

 "traceroute" - Trace Routes to Remote Host

 "route" - Upate Routing Table

 "netstat" - Display Network Statistics

 "lsof" - List of Open Files

 Internet Networking Tools

 SSH Protocol and ssh/scp Commands

 Software Package Manager on CentOS - DNF and YUM

 vsftpd - Very Secure FTP Daemon

 LDAP (Lightweight Directory Access Protocol)

 Administrative Tasks

 References

 Full Version in PDF/EPUB

Manage Multiple Firewall Zones - Updated in 2024, by Herong Yang