Linux Firewalld Zones and Services

Zones are pre-constructed rulesets for various trust levels you would likely have for a given location or scenario (e.g. home, public, trusted, etc.). Different zones allow different network services and incoming traffic types while denying everything else. After enabling FirewallD for the first time, Public will be the default zone.

Zones can also be applied to different network interfaces. For example, with separate interfaces for both an internal network and the Internet, you can allow DHCP on an internal zone but only HTTP and SSH on external zone. Any interface not explicitly set to a specific zone will be attached to the default zone.

Zones files are XML files and stored at : /usr/lib/firewalld/zones/

FirewallD service is an easy way to handle a service port or ports , it is XMl file describing the service and its ports sets.

The XML file name is the service name that we will use it –add-service=NAME

Service files stored at : /usr/lib/firewalld/services/

If you want to read about firewall basics and simple usage for firewalld and firewall-cmd , please read this.

01. FirewallD Services :

To list all services that we can use to configure firewall, use either of tow ways :

[root@localhost ~]# ls /usr/lib/firewalld/services/
[root@localhost ~]# firewall-cmd --get-services

Let’s explore any service file content for example http.xml

[root@localhost ~]# vim /usr/lib/firewalld/services/http.xml 
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>WWW (HTTP)</short>
  <description>HTTP is the protocol used to serve Web pages. If you plan to make your Web server publicly available, enable this option. This option is not required for viewing pages locally or developing Web pages.</description>
  <port protocol="tcp" port="80"/>
</service>

As you see , a simple xml file , the most important line inside <service> section is the <port …. > line:
That is how we define the protocol and port for our service.
<short> is a title .
<description> is a description for the service.

you can create your own service easily by copying any service file to a file with your service name and edit values as you like to point to port and protocol for the new service, then reload firewall.

OR by firewall-cmd command with –new-service= , must use –permanent , so we need to reload :

[root@localhost ~]# firewall-cmd --permanent --new-service=test
success
[root@localhost ~]# firewall-cmd --reload 
success
[root@localhost ~]# firewall-cmd --get-services
amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns enan ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet test tftp tftp-client transmission-client vnc-server wbem-https
[root@localhost ~]#

To delete a service that has XML file , delete its file and reload firewall.
To delete a service we created by command line , we can delete it by also command line and reboot :

[root@localhost ~]# firewall-cmd --permanent --delete-service=test
success
[root@localhost ~]# firewall-cmd --reload 
success
[root@localhost ~]#

Let’s go through an example, if we want to open http port we have to open port number 80 where protocol is tcp by adding that port or adding http service (you can add both at the same time but no benefit ! ):

firewall-cmd --add-port=80/tcp
OR
firewall-cmd --add-service=http

To list currently allowed services :

[root@localhost ~]# firewall-cmd --list-services 
dhcpv6-client http ssh
[root@localhost ~]#

 

02. FirewallD Zones :

The default zone is always : Public , but you can change it .
To show current default zone :

[root@localhost ~]# firewall-cmd --get-default-zone 
public

To change the default Zone :

[root@localhost ~]# firewall-cmd --set-default-zone=external 
success
[root@localhost ~]#

To assign interface to a specific zone ( example: add eth1 to internal zone ) , that will activate that zone rules on that interfaces .

[root@localhost ~]# firewall-cmd --zone=internal --add-interface=eth1
success
[root@localhost ~]# firewall-cmd --list-all --zone=internal 
internal (active)
  interfaces: eth1
  sources: 
  services: dhcpv6-client ipp-client mdns samba-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:

*Any rules you set without specifying a zone will be applied to the default zone.
To set a rule to a specific zone you must specify it using –zone=ZoneName :

[root@localhost ~]# firewall-cmd --zone=internal --add-service=ftp 
success
[root@localhost ~]# firewall-cmd --list-all --zone=internal 
internal (active)
  interfaces: eth1
  sources: 
  services: dhcpv6-client ftp ipp-client mdns samba-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
    
[root@localhost ~]#

To show all current active zones and related interfaces :

[root@localhost ~]# firewall-cmd --get-active-zones 
internal
  interfaces: eth1
external
  interfaces: eth0
[root@localhost ~]#

To add a new zone :

Create or copy a zone XML file with desired name , edit it , then reload firewall to read it.

[root@localhost ~]# cp /usr/lib/firewalld/zones/dmz.xml /usr/lib/firewalld/zones/akm.xml
[root@localhost ~]# firewall-cmd --reload 
success
[root@localhost ~]# firewall-cmd --set-default-zone=
akm       dmz       external  internal  trusted   
block     drop      home      public    work 
[root@localhost ~]# firewall-cmd --set-default-zone=akm
success
[root@localhost ~]# firewall-cmd --list-all
akm (default, active)
  interfaces: eth0
  sources: 
  services: ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 
    
[root@localhost ~]#

OR use simple firewall-cmd command to add zones
Only works –permanent , so we must reload to list changes.
* It will not create a zone file, don’t care.

[root@localhost ~]# firewall-cmd --permanent --new-zone=myZone
success
[root@localhost ~]# firewall-cmd --reload 
success
[root@localhost ~]# firewall-cmd --get-zones 
akm block dmz drop external home internal myZone public trusted work
[root@localhost ~]# 
[root@localhost ~]# ls /usr/lib/firewalld/zones/
akm.xml    dmz.xml   external.xml  internal.xml  trusted.xml
block.xml  drop.xml  home.xml      public.xml    work.xml
[root@localhost ~]#

To delete a zone you created by creating XML file , you must delete its file and reload.
To delete a zone you created by firewall-cmd command , you also use it for delete that zone :

[root@localhost ~]# firewall-cmd --permanent --delete-zone=myZone
success
[root@localhost ~]# firewall-cmd --reload 
success
[root@localhost ~]# firewall-cmd --get-zones 
ahmed akm block dmz drop external home internal public trusted work
[root@localhost ~]#

Now you know how to configure and use zones , you may need to configure Port-Forwarding and NAT , or add Rich Rules.

That is it for Zones and services , i hope it was simple.
Enjoy !.

 

2 comments on “Linux Firewalld Zones and Services

Comments are closed.