1FIREWALLD.ZONE(5) firewalld.zone FIREWALLD.ZONE(5)
2
3
4
6 firewalld.zone - firewalld zone configuration files
7
9 /etc/firewalld/zones/zone.xml
10
11 /usr/lib/firewalld/zones/zone.xml
12
14 A firewalld zone configuration file contains the information for a
15 zone. These are the zone description, services, ports, protocols,
16 icmp-blocks, masquerade, forward-ports, intra-zone forwarding and rich
17 language rules in an XML file format. The file name has to be
18 zone_name.xml where length of zone_name is currently limited to 17
19 chars.
20
21 This is the structure of a zone configuration file:
22
23 <?xml version="1.0" encoding="utf-8"?>
24 <zone [version="versionstring"] [target="ACCEPT|%%REJECT%%|DROP"]>
25 [ <interface name="string"/> ]
26 [ <source address="address[/mask]"|mac="MAC"|ipset="ipset"/> ]
27 [ <icmp-block-inversion/> ]
28 [ <forward/> ]
29
30
31
32
33
34 [ <short>short description</short> ]
35 [ <description>description</description> ]
36 [ <service name="string"/> ]
37 [ <port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> ]
38 [ <protocol value="protocol"/> ]
39 [ <icmp-block name="string"/> ]
40 [ <masquerade/> ]
41 [ <forward-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp" [to-port="portid[-portid]"] [to-addr="IP address"]/> ]
42 [ <source-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> ]
43 [
44 <rule [family="ipv4|ipv6"]>
45 [ <source address="address[/mask]"|mac="MAC"|ipset="ipset" [invert="True"]/> ]
46 [ <destination address="address[/mask]"|ipset="ipset" [invert="True"]/> ]
47 [
48 <service name="string"/> |
49 <port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> |
50 <protocol value="protocol"/> |
51 <icmp-block name="icmptype"/> |
52 <icmp-type name="icmptype"/> |
53 <masquerade/> |
54 <forward-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp" [to-port="portid[-portid]"] [to-addr="address"]/>
55 ]
56 [ <log [prefix="prefixtext"] [level="emerg|alert|crit|err|warn|notice|info|debug"]> [<limit value="rate/duration"/>] </log> ]
57 [ <audit> [<limit value="rate/duration"/>] </audit> ]
58 [
59 <accept> [<limit value="rate/duration"/>] </accept> |
60 <reject [type="rejecttype"]> [<limit value="rate/duration"/>] </reject> |
61 <drop> [<limit value="rate/duration"/>] </drop> |
62 <mark set="mark[/mask]"> [<limit value="rate/duration"/>] </mark>
63 ]
64 </rule>
65 ]
66
67
68 </zone>
69
70
71 The config can contain these tags and attributes. Some of them are
72 mandatory, others optional.
73
74 zone
75 The mandatory zone start and end tag defines the zone. This tag can
76 only be used once in a zone configuration file. There are optional
77 attributes for zones:
78
79 version="string"
80 To give the zone a version.
81
82 target="ACCEPT|%%REJECT%%|DROP"
83 Can be used to accept, reject or drop every packet that doesn't
84 match any rule (port, service, etc.). The ACCEPT target is used in
85 trusted zone to accept every packet not matching any rule. The
86 %%REJECT%% target is used in block zone to reject (with default
87 firewalld reject type) every packet not matching any rule. The DROP
88 target is used in drop zone to drop every packet not matching any
89 rule. If the target is not specified, every packet not matching any
90 rule will be rejected.
91
92 interface
93 Is an optional empty-element tag and can be used several times. It can
94 be used to bind an interface to a zone. You don't need this for
95 NetworkManager-managed interfaces, because NetworkManager binds
96 interfaces to zones automatically. See also 'How to set or change a
97 zone for a connection?' in firewalld.zones(5). You can use it as a
98 fallback mechanism for interfaces that can't be managed via
99 NetworkManager. An interface entry has exactly one attribute:
100
101 name="string"
102 The name of the interface to be bound to the zone.
103
104 source
105 Is an optional empty-element tag and can be used several times. It can
106 be used to bind a source address, address range, a MAC address or an
107 ipset to a zone. A source entry has exactly one of these attributes:
108
109 address="address[/mask]"
110 The source is either an IP address or a network IP address with a
111 mask for IPv4 or IPv6. The network family (IPv4/IPv6) will be
112 automatically discovered. For IPv4, the mask can be a network mask
113 or a plain number. For IPv6 the mask is a plain number. The use of
114 host names is not supported.
115
116 mac="MAC"
117 The source is a MAC address. It must be of the form
118 XX:XX:XX:XX:XX:XX.
119
120 ipset="ipset"
121 The source is an ipset.
122
123 icmp-block-inversion
124 Is an optional empty-element tag and can be used only once in a zone
125 configuration. This flag inverts the icmp block handling. Only enabled
126 ICMP types are accepted and all others are rejected in the zone.
127
128 forward
129 Is an optional empty-element tag and can be used only once in a zone
130 configuration. This flag enables intra-zone forwarding. When enabled,
131 packets will be forwarded between interfaces or sources within a zone,
132 even if the zone's target is not set to ACCEPT.
133
134 short
135 Is an optional start and end tag and is used to give a more readable
136 name.
137
138 description
139 Is an optional start and end tag to have a description.
140
141 service
142 Is an optional empty-element tag and can be used several times to have
143 more than one service entry enabled. A service entry has exactly one
144 attribute:
145
146 name="string"
147 The name of the service to be enabled. To get a list of valid
148 service names firewall-cmd --get-services can be used.
149
150 port
151 Is an optional empty-element tag and can be used several times to have
152 more than one port entry. All attributes of a port entry are mandatory:
153
154 port="portid[-portid]"
155 The port can either be a single port number portid or a port range
156 portid-portid.
157
158 protocol="tcp|udp|sctp|dccp"
159 The protocol can either be tcp, udp, sctp or dccp.
160
161 protocol
162 Is an optional empty-element tag and can be used several times to have
163 more than one protocol entry. All protocol has exactly one attribute:
164
165 value="string"
166 The protocol can be any protocol supported by the system. Please
167 have a look at /etc/protocols for supported protocols.
168
169 icmp-block
170 Is an optional empty-element tag and can be used several times to have
171 more than one icmp-block entry. Each icmp-block tag has exactly one
172 mandatory attribute:
173
174 name="string"
175 The name of the Internet Control Message Protocol (ICMP) type to be
176 blocked. To get a list of valid ICMP types firewall-cmd
177 --get-icmptypes can be used.
178
179 tcp-mss-clamp
180 Is an optional empty-element tag and can be used several times. If left
181 empty maximum segment size is set to 'pmtu'. This tag has exactly one
182 optional attribute:
183
184 value="string"
185 Value can set maximum segment size to 'pmtu' (Path Maximum
186 Transmission Unit) or a user-defined value that is greater than or
187 equal to 536.
188
189 masquerade
190 Is an optional empty-element tag. It can be used only once. If it's
191 present masquerading is enabled.
192
193 forward-port
194 Is an optional empty-element tag and can be used several times to have
195 more than one port or packet forward entry. There are mandatory and
196 also optional attributes for forward ports:
197
198 Mandatory attributes:
199 The local port and protocol to be forwarded.
200
201 port="portid[-portid]"
202 The port can either be a single port number portid or a port
203 range portid-portid.
204
205 protocol="tcp|udp|sctp|dccp"
206 The protocol can either be tcp, udp, sctp or dccp.
207
208 Optional attributes:
209 The destination of the forward. For local forwarding add to-port
210 only. For remote forwarding add to-addr and use to-port optionally
211 if the destination port on the destination machine should be
212 different.
213
214 to-port="portid[-portid]"
215 The destination port or port range to forward to. If omitted,
216 the value of the port= attribute will be used altogether with
217 the to-addr attribute.
218
219 to-addr="address"
220 The destination IP address either for IPv4 or IPv6.
221
222 source-port
223 Is an optional empty-element tag and can be used several times to have
224 more than one source port entry. All attributes of a source port entry
225 are mandatory:
226
227 port="portid[-portid]"
228 The port can either be a single port number portid or a port range
229 portid-portid.
230
231 protocol="tcp|udp|sctp|dccp"
232 The protocol can either be tcp, udp, sctp or dccp.
233
234 rule
235 Is an optional element tag and can be used several times to have more
236 than one rich language rule entry.
237
238 The general rule structure:
239
240 <rule [family="ipv4|ipv6"]>
241 [ <source address="address[/mask]"|mac="MAC"|ipset="ipset" [invert="True"]/> ]
242 [ <destination address="address[/mask]"|ipset="ipset" [invert="True"]/> ]
243 [
244 <service name="string"/> |
245 <port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> |
246 <protocol value="protocol"/> |
247 <icmp-block name="icmptype"/> |
248 <icmp-type name="icmptype"/> |
249 <masquerade/> |
250 <forward-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp" [to-port="portid[-portid]"] [to-addr="address"]/> |
251 <source-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> |
252 ]
253 [ <log [prefix="prefixtext"] [level="emerg|alert|crit|err|warn|notice|info|debug"]/> [<limit value="rate/duration"/>] </log> ]
254 [ <audit> [<limit value="rate/duration"/>] </audit> ]
255 [
256 <accept> [<limit value="rate/duration"/>] </accept> |
257 <reject [type="rejecttype"]> [<limit value="rate/duration"/>] </reject> |
258 <drop> [<limit value="rate/duration"/>] </drop> |
259 <mark set="mark[/mask]"> [<limit value="rate/duration"/>] </mark>
260 ]
261 </rule>
262
263
264 Rule structure for source black or white listing:
265
266 <rule [family="ipv4|ipv6"]>
267 <source address="address[/mask]"|mac="MAC"|ipset="ipset" [invert="True"]/>
268 [ <log [prefix="prefixtext"] [level="emerg|alert|crit|err|warn|notice|info|debug"]/> [<limit value="rate/duration"/>] </log> ]
269 [ <audit> [<limit value="rate/duration"/>] </audit> ]
270 <accept> [<limit value="rate/duration"/>] </accept> |
271 <reject [type="rejecttype"]> [<limit value="rate/duration"/>] </reject> |
272 <drop> [<limit value="rate/duration"/>] </drop>
273 </rule>
274
275
276 For a full description on rich language rules, please have a look at
277 firewalld.richlanguage(5).
278
280 firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1),
281 firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5),
282 firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-
283 offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5),
284 firewalld.zone(5), firewalld.zones(5), firewalld.policy(5),
285 firewalld.policies(5), firewalld.ipset(5), firewalld.helper(5)
286
288 firewalld home page:
289 http://firewalld.org
290
291 More documentation with examples:
292 http://fedoraproject.org/wiki/FirewallD
293
295 Thomas Woerner <twoerner@redhat.com>
296 Developer
297
298 Jiri Popelka <jpopelka@redhat.com>
299 Developer
300
301 Eric Garver <eric@garver.life>
302 Developer
303
304
305
306firewalld 1.0.5 FIREWALLD.ZONE(5)