Manage Multiple Firewall Zones

This section provides a tutorial example on how to manage multiple firewall zones on CentOS 8 systems.

By default, "firewalld" service supports a single active firewall zone called "public" on CentOS systems. For some situations, you may need to activate additional zones or add custom zones, if you want set up different permissions for different source IP addresses.

What Is Firewall Zone? - A firewall zone is a name permission rules for specific source IP addresses and/or IP address ranges.

"firewalld" service has pre-defined the following zones:

Here some basic rules on how zones are used by "firewalld" service.

Here are the commands to see the default zone and other active zones:

herong$ sudo firewall-cmd --get-active-zones
    interfaces: eno1

herong$ sudo firewall-cmd --get-default-zone

herong$ sudo firewall-cmd --get-zones
  block dmz drop external home internal libvirt nm-shared
  public trusted work

You can use "firewall-cmd" to see permission rules of a given zone:

herong$ sudo firewall-cmd --zone=public --list-all
  public (active)
    target: DROP
    icmp-block-inversion: no
    interfaces: eno1
    ports: 80/tcp
    masquerade: no
    rich rules:

You can also get the XML file that defines a given zone. Note that inactive zones do not have XML files.

herong$ sudo cat /etc/firewalld/zones/public.xml

<zone target="DROP">
  <description>For use in public areas...</description>
  <port port="80" protocol="tcp"/>

Other examples of firewall-cmd commands are:

sudo firewall-cmd --set-default-zone=work
sudo firewall-cmd --permanent --zone=public --set-target=DROP
sudo firewall-cmd --permanent --zone=public --remove-service=http
sudo firewall-cmd --permanent --zone=public --remove-port=80/tcp
sudo firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" \
  source address="" service name="http" accept'

Table of Contents

 About This Book

 Introduction to Linux Systems

 Cockpit - Web Portal for Administrator

 Process Management

 Files and Directories

 Users and Groups

 File Systems

 Block Devices and Partitions

 LVM (Logical Volume Manager)

 Installing CentOS

 SELinux - Security-Enhanced Linux

Network Connection on CentOS

 Setup Ethernet Connection on CentOS

 Network Firewall Tools on CentOS

 "firewalld" and "firewall-cmd" on CentOS

Manage Multiple Firewall Zones

 "nftables" and "nft" on CentOS

 "iptables" Command on CentOS

 "nmap" - Network Mapper on CentOS

 Monitor Network Services on CentOS

 "ifconfig" - Trace Routes to Remote Host

 "traceroute" - Trace Routes to Remote Host

 "route" - Upate Routing Table

 "netstat" - Display Network Statistics

 "lsof" - List of Open Files

 Internet Networking Tools

 SSH Protocol and ssh/scp Commands

 Software Package Manager on CentOS - DNF and YUM

 vsftpd - Very Secure FTP Daemon

 LDAP (Lightweight Directory Access Protocol)

 Administrative Tasks


 Full Version in PDF/EPUB