|
Packit |
a8ec6b |
'\" t
|
|
Packit |
a8ec6b |
.\" Title: firewalld.zones
|
|
Packit |
a8ec6b |
.\" Author: Thomas Woerner <twoerner@redhat.com>
|
|
Packit |
a8ec6b |
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
|
|
Packit |
a8ec6b |
.\" Date:
|
|
Packit |
a8ec6b |
.\" Manual: firewalld.zones
|
|
Packit |
a8ec6b |
.\" Source: firewalld 0.8.2
|
|
Packit |
a8ec6b |
.\" Language: English
|
|
Packit |
a8ec6b |
.\"
|
|
Packit |
a8ec6b |
.TH "FIREWALLD\&.ZONES" "5" "" "firewalld 0.8.2" "firewalld.zones"
|
|
Packit |
a8ec6b |
.\" -----------------------------------------------------------------
|
|
Packit |
a8ec6b |
.\" * Define some portability stuff
|
|
Packit |
a8ec6b |
.\" -----------------------------------------------------------------
|
|
Packit |
a8ec6b |
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
Packit |
a8ec6b |
.\" http://bugs.debian.org/507673
|
|
Packit |
a8ec6b |
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
|
|
Packit |
a8ec6b |
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
Packit |
a8ec6b |
.ie \n(.g .ds Aq \(aq
|
|
Packit |
a8ec6b |
.el .ds Aq '
|
|
Packit |
a8ec6b |
.\" -----------------------------------------------------------------
|
|
Packit |
a8ec6b |
.\" * set default formatting
|
|
Packit |
a8ec6b |
.\" -----------------------------------------------------------------
|
|
Packit |
a8ec6b |
.\" disable hyphenation
|
|
Packit |
a8ec6b |
.nh
|
|
Packit |
a8ec6b |
.\" disable justification (adjust text to left margin only)
|
|
Packit |
a8ec6b |
.ad l
|
|
Packit |
a8ec6b |
.\" -----------------------------------------------------------------
|
|
Packit |
a8ec6b |
.\" * MAIN CONTENT STARTS HERE *
|
|
Packit |
a8ec6b |
.\" -----------------------------------------------------------------
|
|
Packit |
a8ec6b |
.SH "NAME"
|
|
Packit |
a8ec6b |
firewalld.zones \- firewalld zones
|
|
Packit |
a8ec6b |
.SH "DESCRIPTION"
|
|
Packit |
a8ec6b |
.SS "What is a zone?"
|
|
Packit |
a8ec6b |
.PP
|
|
Packit |
a8ec6b |
A network zone defines the level of trust for network connections\&. This is a one to many relation, which means that a connection can only be part of one zone, but a zone can be used for many network connections\&.
|
|
Packit |
a8ec6b |
.PP
|
|
Packit |
a8ec6b |
The zone defines the firewall features that are enabled in this zone:
|
|
Packit |
a8ec6b |
.sp
|
|
Packit |
a8ec6b |
.it 1 an-trap
|
|
Packit |
a8ec6b |
.nr an-no-space-flag 1
|
|
Packit |
a8ec6b |
.nr an-break-flag 1
|
|
Packit |
a8ec6b |
.br
|
|
Packit |
a8ec6b |
.ps +1
|
|
Packit |
a8ec6b |
\fBPredefined services\fR
|
|
Packit |
a8ec6b |
.RS 4
|
|
Packit |
a8ec6b |
.PP
|
|
Packit |
a8ec6b |
A service is a combination of port and/or protocol entries\&. Optionally netfilter helper modules can be added and also a IPv4 and IPv6 destination address\&.
|
|
Packit |
a8ec6b |
.RE
|
|
Packit |
a8ec6b |
.sp
|
|
Packit |
a8ec6b |
.it 1 an-trap
|
|
Packit |
a8ec6b |
.nr an-no-space-flag 1
|
|
Packit |
a8ec6b |
.nr an-break-flag 1
|
|
Packit |
a8ec6b |
.br
|
|
Packit |
a8ec6b |
.ps +1
|
|
Packit |
a8ec6b |
\fBPorts and protocols\fR
|
|
Packit |
a8ec6b |
.RS 4
|
|
Packit |
a8ec6b |
.PP
|
|
Packit |
a8ec6b |
Definition of
|
|
Packit |
a8ec6b |
\fItcp\fR
|
|
Packit |
a8ec6b |
or
|
|
Packit |
a8ec6b |
\fIudp\fR
|
|
Packit |
a8ec6b |
ports, where ports can be a single port or a port range\&.
|
|
Packit |
a8ec6b |
.RE
|
|
Packit |
a8ec6b |
.sp
|
|
Packit |
a8ec6b |
.it 1 an-trap
|
|
Packit |
a8ec6b |
.nr an-no-space-flag 1
|
|
Packit |
a8ec6b |
.nr an-break-flag 1
|
|
Packit |
a8ec6b |
.br
|
|
Packit |
a8ec6b |
.ps +1
|
|
Packit |
a8ec6b |
\fBICMP blocks\fR
|
|
Packit |
a8ec6b |
.RS 4
|
|
Packit |
a8ec6b |
.PP
|
|
Packit |
a8ec6b |
Blocks selected Internet Control Message Protocol (ICMP) messages\&. These messages are either information requests or created as a reply to information requests or in error conditions\&.
|
|
Packit |
a8ec6b |
.RE
|
|
Packit |
a8ec6b |
.sp
|
|
Packit |
a8ec6b |
.it 1 an-trap
|
|
Packit |
a8ec6b |
.nr an-no-space-flag 1
|
|
Packit |
a8ec6b |
.nr an-break-flag 1
|
|
Packit |
a8ec6b |
.br
|
|
Packit |
a8ec6b |
.ps +1
|
|
Packit |
a8ec6b |
\fBMasquerading\fR
|
|
Packit |
a8ec6b |
.RS 4
|
|
Packit |
a8ec6b |
.PP
|
|
Packit |
a8ec6b |
The addresses of a private network are mapped to and hidden behind a public IP address\&. This is a form of address translation\&.
|
|
Packit |
a8ec6b |
.RE
|
|
Packit |
a8ec6b |
.sp
|
|
Packit |
a8ec6b |
.it 1 an-trap
|
|
Packit |
a8ec6b |
.nr an-no-space-flag 1
|
|
Packit |
a8ec6b |
.nr an-break-flag 1
|
|
Packit |
a8ec6b |
.br
|
|
Packit |
a8ec6b |
.ps +1
|
|
Packit |
a8ec6b |
\fBForward ports\fR
|
|
Packit |
a8ec6b |
.RS 4
|
|
Packit |
a8ec6b |
.PP
|
|
Packit |
a8ec6b |
A forward port is either mapped to the same port on another host or to another port on the same host or to another port on another host\&.
|
|
Packit |
a8ec6b |
.RE
|
|
Packit |
a8ec6b |
.sp
|
|
Packit |
a8ec6b |
.it 1 an-trap
|
|
Packit |
a8ec6b |
.nr an-no-space-flag 1
|
|
Packit |
a8ec6b |
.nr an-break-flag 1
|
|
Packit |
a8ec6b |
.br
|
|
Packit |
a8ec6b |
.ps +1
|
|
Packit |
a8ec6b |
\fBRich language rules\fR
|
|
Packit |
a8ec6b |
.RS 4
|
|
Packit |
a8ec6b |
.PP
|
|
Packit |
a8ec6b |
The rich language extends the elements (service, port, icmp\-block, masquerade, forward\-port and source\-port) with additional source and destination addresses, logging, actions and limits for logs and actions\&. It can also be used for host or network white and black listing (for more information, please have a look at
|
|
Packit |
a8ec6b |
\fBfirewalld.richlanguage\fR(5))\&.
|
|
Packit |
a8ec6b |
.RE
|
|
Packit |
a8ec6b |
.PP
|
|
Packit |
a8ec6b |
For more information on the zone file format, please have a look at
|
|
Packit |
a8ec6b |
\fBfirewalld.zone\fR(5)\&.
|
|
Packit |
a8ec6b |
.SS "Which zones are available?"
|
|
Packit |
a8ec6b |
.PP
|
|
Packit |
a8ec6b |
Here are the zones provided by firewalld sorted according to the default trust level of the zones from untrusted to trusted:
|
|
Packit |
a8ec6b |
.PP
|
|
Packit |
a8ec6b |
drop
|
|
Packit |
a8ec6b |
.RS 4
|
|
Packit |
a8ec6b |
Any incoming network packets are dropped, there is no reply\&. Only outgoing network connections are possible\&.
|
|
Packit |
a8ec6b |
.RE
|
|
Packit |
a8ec6b |
.PP
|
|
Packit |
a8ec6b |
block
|
|
Packit |
a8ec6b |
.RS 4
|
|
Packit |
a8ec6b |
Any incoming network connections are rejected with an
|
|
Packit |
a8ec6b |
\fIicmp\-host\-prohibited\fR
|
|
Packit |
a8ec6b |
message for IPv4 and
|
|
Packit |
a8ec6b |
\fIicmp6\-adm\-prohibited\fR
|
|
Packit |
a8ec6b |
for IPv6\&. Only network connections initiated within this system are possible\&.
|
|
Packit |
a8ec6b |
.RE
|
|
Packit |
a8ec6b |
.PP
|
|
Packit |
a8ec6b |
public
|
|
Packit |
a8ec6b |
.RS 4
|
|
Packit |
a8ec6b |
For use in public areas\&. You do not trust the other computers on networks to not harm your computer\&. Only selected incoming connections are accepted\&.
|
|
Packit |
a8ec6b |
.RE
|
|
Packit |
a8ec6b |
.PP
|
|
Packit |
a8ec6b |
external
|
|
Packit |
a8ec6b |
.RS 4
|
|
Packit |
a8ec6b |
For use on external networks with masquerading enabled especially for routers\&. You do not trust the other computers on networks to not harm your computer\&. Only selected incoming connections are accepted\&.
|
|
Packit |
a8ec6b |
.RE
|
|
Packit |
a8ec6b |
.PP
|
|
Packit |
a8ec6b |
dmz
|
|
Packit |
a8ec6b |
.RS 4
|
|
Packit |
a8ec6b |
For computers in your demilitarized zone that are publicly\-accessible with limited access to your internal network\&. Only selected incoming connections are accepted\&.
|
|
Packit |
a8ec6b |
.RE
|
|
Packit |
a8ec6b |
.PP
|
|
Packit |
a8ec6b |
work
|
|
Packit |
a8ec6b |
.RS 4
|
|
Packit |
a8ec6b |
For use in work areas\&. You mostly trust the other computers on networks to not harm your computer\&. Only selected incoming connections are accepted\&.
|
|
Packit |
a8ec6b |
.RE
|
|
Packit |
a8ec6b |
.PP
|
|
Packit |
a8ec6b |
home
|
|
Packit |
a8ec6b |
.RS 4
|
|
Packit |
a8ec6b |
For use in home areas\&. You mostly trust the other computers on networks to not harm your computer\&. Only selected incoming connections are accepted\&.
|
|
Packit |
a8ec6b |
.RE
|
|
Packit |
a8ec6b |
.PP
|
|
Packit |
a8ec6b |
internal
|
|
Packit |
a8ec6b |
.RS 4
|
|
Packit |
a8ec6b |
For use on internal networks\&. You mostly trust the other computers on the networks to not harm your computer\&. Only selected incoming connections are accepted\&.
|
|
Packit |
a8ec6b |
.RE
|
|
Packit |
a8ec6b |
.PP
|
|
Packit |
a8ec6b |
trusted
|
|
Packit |
a8ec6b |
.RS 4
|
|
Packit |
a8ec6b |
All network connections are accepted\&.
|
|
Packit |
a8ec6b |
.RE
|
|
Packit |
a8ec6b |
.SS "Which zone should be used?"
|
|
Packit |
a8ec6b |
.PP
|
|
Packit |
a8ec6b |
A public WIFI network connection for example should be mainly untrusted, a wired home network connection should be fairly trusted\&. Select the zone that best matches the network you are using\&.
|
|
Packit |
a8ec6b |
.SS "How to configure or add zones?"
|
|
Packit |
a8ec6b |
.PP
|
|
Packit |
a8ec6b |
To configure or add zones you can either use one of the firewalld interfaces to handle and change the configuration: These are the graphical configuration tool firewall\-config, the command line tool
|
|
Packit |
a8ec6b |
\fBfirewall\-cmd\fR
|
|
Packit |
a8ec6b |
or the D\-Bus interface\&. Or you can create or copy a zone file in one of the configuration directories\&.
|
|
Packit |
a8ec6b |
\fI/usr/lib/firewalld/zones\fR
|
|
Packit |
a8ec6b |
is used for default and fallback configurations and
|
|
Packit |
a8ec6b |
\fI/usr/etc/firewalld/zones\fR
|
|
Packit |
a8ec6b |
is used for user created and customized configuration files\&.
|
|
Packit |
a8ec6b |
.SS "How to set or change a zone for a connection?"
|
|
Packit |
a8ec6b |
.PP
|
|
Packit |
a8ec6b |
The zone is stored into the ifcfg of the connection with
|
|
Packit |
a8ec6b |
\fBZONE=\fR
|
|
Packit |
a8ec6b |
option\&. If the option is missing or empty, the default zone set in firewalld is used\&.
|
|
Packit |
a8ec6b |
.PP
|
|
Packit |
a8ec6b |
If the connection is controlled by NetworkManager, you can also use
|
|
Packit |
a8ec6b |
\fBnm\-connection\-editor\fR
|
|
Packit |
a8ec6b |
to change the zone\&.
|
|
Packit |
a8ec6b |
.PP
|
|
Packit |
a8ec6b |
For the addion or change of interfaces that are not under control of NetworkManager: firewalld tries to change the ZONE setting in the ifcfg file, if an ifcfg file exists that is using the interface\&.
|
|
Packit |
a8ec6b |
.PP
|
|
Packit |
a8ec6b |
Only for the removal of interfaces that are not under control of NetworkManager: firewalld is not trying to change the ZONE setting in the ifcfg file\&. This is needed to make sure that an ifdown of the interface will not result in a reset of the zone setting to the default zone\&. Only the zone binding is then removed in firewalld then\&.
|
|
Packit |
a8ec6b |
.SH "SEE ALSO"
|
|
Packit |
a8ec6b |
\fBfirewall-applet\fR(1), \fBfirewalld\fR(1), \fBfirewall-cmd\fR(1), \fBfirewall-config\fR(1), \fBfirewalld.conf\fR(5), \fBfirewalld.direct\fR(5), \fBfirewalld.dbus\fR(5), \fBfirewalld.icmptype\fR(5), \fBfirewalld.lockdown-whitelist\fR(5), \fBfirewall-offline-cmd\fR(1), \fBfirewalld.richlanguage\fR(5), \fBfirewalld.service\fR(5), \fBfirewalld.zone\fR(5), \fBfirewalld.zones\fR(5), \fBfirewalld.ipset\fR(5), \fBfirewalld.helper\fR(5)
|
|
Packit |
a8ec6b |
.SH "NOTES"
|
|
Packit |
a8ec6b |
.PP
|
|
Packit |
a8ec6b |
firewalld home page:
|
|
Packit |
a8ec6b |
.RS 4
|
|
Packit |
a8ec6b |
\m[blue]\fB\%http://firewalld.org\fR\m[]
|
|
Packit |
a8ec6b |
.RE
|
|
Packit |
a8ec6b |
.PP
|
|
Packit |
a8ec6b |
More documentation with examples:
|
|
Packit |
a8ec6b |
.RS 4
|
|
Packit |
a8ec6b |
\m[blue]\fB\%http://fedoraproject.org/wiki/FirewallD\fR\m[]
|
|
Packit |
a8ec6b |
.RE
|
|
Packit |
a8ec6b |
.SH "AUTHORS"
|
|
Packit |
a8ec6b |
.PP
|
|
Packit |
a8ec6b |
\fBThomas Woerner\fR <\&twoerner@redhat\&.com\&>
|
|
Packit |
a8ec6b |
.RS 4
|
|
Packit |
a8ec6b |
Developer
|
|
Packit |
a8ec6b |
.RE
|
|
Packit |
a8ec6b |
.PP
|
|
Packit |
a8ec6b |
\fBJiri Popelka\fR <\&jpopelka@redhat\&.com\&>
|
|
Packit |
a8ec6b |
.RS 4
|
|
Packit |
a8ec6b |
Developer
|
|
Packit |
a8ec6b |
.RE
|
|
Packit |
a8ec6b |
.PP
|
|
Packit |
a8ec6b |
\fBEric Garver\fR <\&eric@garver\&.life\&>
|
|
Packit |
a8ec6b |
.RS 4
|
|
Packit |
a8ec6b |
Developer
|
|
Packit |
a8ec6b |
.RE
|