source-git / firewalld

Clone
Source Code
GIT

Files

  1.   4d91e9682ac6eb278f2f7548854d79a86822cc94
  2.   doc
  3.   man
  4.   man5
  5.   firewalld.zones.5
Blob Blame History Raw 
'\" t
.\"     Title: firewalld.zones
.\"    Author: Thomas Woerner <twoerner@redhat.com>
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
.\"      Date: 
.\"    Manual: firewalld.zones
.\"    Source: firewalld 0.8.2
.\"  Language: English
.\"
.TH "FIREWALLD\&.ZONES" "5" "" "firewalld 0.8.2" "firewalld.zones"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
firewalld.zones \- firewalld zones
.SH "DESCRIPTION"
.SS "What is a zone?"
.PP
A network zone defines the level of trust for network connections\&. This is a one to many relation, which means that a connection can only be part of one zone, but a zone can be used for many network connections\&.
.PP
The zone defines the firewall features that are enabled in this zone:
.sp
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBPredefined services\fR
.RS 4
.PP
A service is a combination of port and/or protocol entries\&. Optionally netfilter helper modules can be added and also a IPv4 and IPv6 destination address\&.
.RE
.sp
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBPorts and protocols\fR
.RS 4
.PP
Definition of
\fItcp\fR
or
\fIudp\fR
ports, where ports can be a single port or a port range\&.
.RE
.sp
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBICMP blocks\fR
.RS 4
.PP
Blocks selected Internet Control Message Protocol (ICMP) messages\&. These messages are either information requests or created as a reply to information requests or in error conditions\&.
.RE
.sp
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBMasquerading\fR
.RS 4
.PP
The addresses of a private network are mapped to and hidden behind a public IP address\&. This is a form of address translation\&.
.RE
.sp
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBForward ports\fR
.RS 4
.PP
A forward port is either mapped to the same port on another host or to another port on the same host or to another port on another host\&.
.RE
.sp
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBRich language rules\fR
.RS 4
.PP
The rich language extends the elements (service, port, icmp\-block, masquerade, forward\-port and source\-port) with additional source and destination addresses, logging, actions and limits for logs and actions\&. It can also be used for host or network white and black listing (for more information, please have a look at
\fBfirewalld.richlanguage\fR(5))\&.
.RE
.PP
For more information on the zone file format, please have a look at
\fBfirewalld.zone\fR(5)\&.
.SS "Which zones are available?"
.PP
Here are the zones provided by firewalld sorted according to the default trust level of the zones from untrusted to trusted:
.PP
drop
.RS 4
Any incoming network packets are dropped, there is no reply\&. Only outgoing network connections are possible\&.
.RE
.PP
block
.RS 4
Any incoming network connections are rejected with an
\fIicmp\-host\-prohibited\fR
message for IPv4 and
\fIicmp6\-adm\-prohibited\fR
for IPv6\&. Only network connections initiated within this system are possible\&.
.RE
.PP
public
.RS 4
For use in public areas\&. You do not trust the other computers on networks to not harm your computer\&. Only selected incoming connections are accepted\&.
.RE
.PP
external
.RS 4
For use on external networks with masquerading enabled especially for routers\&. You do not trust the other computers on networks to not harm your computer\&. Only selected incoming connections are accepted\&.
.RE
.PP
dmz
.RS 4
For computers in your demilitarized zone that are publicly\-accessible with limited access to your internal network\&. Only selected incoming connections are accepted\&.
.RE
.PP
work
.RS 4
For use in work areas\&. You mostly trust the other computers on networks to not harm your computer\&. Only selected incoming connections are accepted\&.
.RE
.PP
home
.RS 4
For use in home areas\&. You mostly trust the other computers on networks to not harm your computer\&. Only selected incoming connections are accepted\&.
.RE
.PP
internal
.RS 4
For use on internal networks\&. You mostly trust the other computers on the networks to not harm your computer\&. Only selected incoming connections are accepted\&.
.RE
.PP
trusted
.RS 4
All network connections are accepted\&.
.RE
.SS "Which zone should be used?"
.PP
A public WIFI network connection for example should be mainly untrusted, a wired home network connection should be fairly trusted\&. Select the zone that best matches the network you are using\&.
.SS "How to configure or add zones?"
.PP
To configure or add zones you can either use one of the firewalld interfaces to handle and change the configuration: These are the graphical configuration tool firewall\-config, the command line tool
\fBfirewall\-cmd\fR
or the D\-Bus interface\&. Or you can create or copy a zone file in one of the configuration directories\&.
\fI/usr/lib/firewalld/zones\fR
is used for default and fallback configurations and
\fI/usr/etc/firewalld/zones\fR
is used for user created and customized configuration files\&.
.SS "How to set or change a zone for a connection?"
.PP
The zone is stored into the ifcfg of the connection with
\fBZONE=\fR
option\&. If the option is missing or empty, the default zone set in firewalld is used\&.
.PP
If the connection is controlled by NetworkManager, you can also use
\fBnm\-connection\-editor\fR
to change the zone\&.
.PP
For the addion or change of interfaces that are not under control of NetworkManager: firewalld tries to change the ZONE setting in the ifcfg file, if an ifcfg file exists that is using the interface\&.
.PP
Only for the removal of interfaces that are not under control of NetworkManager: firewalld is not trying to change the ZONE setting in the ifcfg file\&. This is needed to make sure that an ifdown of the interface will not result in a reset of the zone setting to the default zone\&. Only the zone binding is then removed in firewalld then\&.
.SH "SEE ALSO"
\fBfirewall-applet\fR(1), \fBfirewalld\fR(1), \fBfirewall-cmd\fR(1), \fBfirewall-config\fR(1), \fBfirewalld.conf\fR(5), \fBfirewalld.direct\fR(5), \fBfirewalld.dbus\fR(5), \fBfirewalld.icmptype\fR(5), \fBfirewalld.lockdown-whitelist\fR(5), \fBfirewall-offline-cmd\fR(1), \fBfirewalld.richlanguage\fR(5), \fBfirewalld.service\fR(5), \fBfirewalld.zone\fR(5), \fBfirewalld.zones\fR(5), \fBfirewalld.ipset\fR(5), \fBfirewalld.helper\fR(5)
.SH "NOTES"
.PP
firewalld home page:
.RS 4
\m[blue]\fB\%http://firewalld.org\fR\m[]
.RE
.PP
More documentation with examples:
.RS 4
\m[blue]\fB\%http://fedoraproject.org/wiki/FirewallD\fR\m[]
.RE
.SH "AUTHORS"
.PP
\fBThomas Woerner\fR <\&twoerner@redhat\&.com\&>
.RS 4
Developer
.RE
.PP
\fBJiri Popelka\fR <\&jpopelka@redhat\&.com\&>
.RS 4
Developer
.RE
.PP
\fBEric Garver\fR <\&eric@garver\&.life\&>
.RS 4
Developer
.RE

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation