Understanding Firewalld in Multi-Zone Configurations


The top layer of organization in firewalld is zones. A packet is part of a zone if it matches that zone's associated network interface or IP/mask source. Several predefined zones are available:

# firewall-cmd --get-zones
block dmz drop external home internal public trusted work

An active zone is any zone that is configured with an interface and/or a source. To list active zones:

# firewall-cmd --get-active-zones
  interfaces: eno1 eno2

Interfaces are the system's names for hardware and virtual network adapters, as you can see in the above example. All active interfaces will be assigned to zones, either to the default zone or to a user-specified one. However, an interface cannot be assigned to more than one zone.

In its default configuration, firewalld pairs all interfaces with the public zone and doesn't set up sources for any zones. As a result, public is the only active zone.

Sources are incoming IP address ranges, which also can be assigned to zones. A source (or overlapping sources) cannot be assigned to multiple zones. Doing so results in undefined behavior, as it would not be clear which rules should be applied to that source.

Since specifying a source is not required, for every packet there will be a zone with a matching interface, but there won't necessarily be a zone with a matching source. This indicates some form of precedence with priority going to the more specific source zones, but more on that later. First, let's inspect how the public zone is configured:

# firewall-cmd --zone=public --list-all
public (default, active)
  interfaces: eno1 eno2
  services: dhcpv6-client ssh
  masquerade: no
  rich rules:
# firewall-cmd --permanent --zone=public --get-target

Going line by line through the output:

  • public (default, active) indicates that the public zone is the default zone (interfaces default to it when they come up), and it is active because it has at least one interface or source associated with it.

  • interfaces: eno1 eno2 lists the interfaces associated with the zone.

  • sources: lists the sources for the zone. There aren't any now, but if there were, they would be of the form xxx.xxx.xxx.xxx/xx.

  • services: dhcpv6-client ssh lists the services allowed through the firewall. You can get an exhaustive list of firewalld's defined services by executing firewall-cmd --get-services.

  • ports: lists port destinations allowed through the firewall. This is useful if you need to allow a service that isn't defined in firewalld.

  • masquerade: no indicates that IP masquerading is disabled for this zone. If enabled, this would allow IP forwarding, with your computer acting as a router.

  • forward-ports: lists ports that are forwarded.

  • icmp-blocks: a blacklist of blocked icmp traffic.

  • rich rules: advanced configurations, processed first in a zone.

  • default is the target of the zone, which determines the action taken on a packet that matches the zone yet isn't explicitly handled by one of the above settings.


Nathan Vance is a computer science major at Hope College in Holland, Michigan. He installed Linux Mint 12 as a high school junior and now prefers Arch Linux.