Linux Tutorials - Herong's Tutorial Examples - v5.45, by Herong Yang
Manage Multiple Firewall Zones
This section provides a tutorial example on how to manage multiple firewall zones on CentOS 8 systems.
By default, "firewalld" service supports a single active firewall zone called "public" on CentOS systems. For some situations, you may need to activate additional zones or add custom zones, if you want set up different permissions for different source IP addresses.
What Is Firewall Zone? - A firewall zone is a name permission rules for specific source IP addresses and/or IP address ranges.
"firewalld" service has pre-defined the following zones:
Here some basic rules on how zones are used by "firewalld" service.
Here are the commands to see the default zone and other active zones:
herong$ sudo firewall-cmd --get-active-zones internal sources: 192.168.1.0/24 work sources: 192.168.2.0/24 external sources: 192.168.3.0/24 public interfaces: eno1 herong$ sudo firewall-cmd --get-default-zone public herong$ sudo firewall-cmd --get-zones block dmz drop external home internal libvirt nm-shared public trusted work
You can use "firewall-cmd" to see permission rules of a given zone:
herong$ sudo firewall-cmd --zone=public --list-all public (active) target: DROP icmp-block-inversion: no interfaces: eno1 sources: services: ports: 80/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
You can also get the XML file that defines a given zone. Note that inactive zones do not have XML files.
herong$ sudo cat /etc/firewalld/zones/public.xml <zone target="DROP"> <short>Public</short> <description>For use in public areas...</description> <port port="80" protocol="tcp"/> </zone>
Other examples of firewall-cmd commands are:
sudo firewall-cmd --set-default-zone=work sudo firewall-cmd --permanent --zone=public --set-target=DROP sudo firewall-cmd --permanent --zone=public --remove-service=http sudo firewall-cmd --permanent --zone=public --remove-port=80/tcp sudo firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" \ source address="192.168.1.0/24" service name="http" accept'
Table of Contents
Cockpit - Web Portal for Administrator
SELinux - Security-Enhanced Linux
Setup Ethernet Connection on CentOS
Network Firewall Tools on CentOS
"firewalld" and "firewall-cmd" on CentOS
►Manage Multiple Firewall Zones
"nftables" and "nft" on CentOS
"nmap" - Network Mapper on CentOS
Monitor Network Services on CentOS
"ifconfig" - Trace Routes to Remote Host
"traceroute" - Trace Routes to Remote Host
"netstat" - Display Network Statistics
SSH Protocol and ssh/scp Commands
Software Package Manager on CentOS - DNF and YUM
vsftpd - Very Secure FTP Daemon