1FIREWALLD.ZONE(5) firewalld.zone FIREWALLD.ZONE(5)
2
3
4
6 firewalld.zone - firewalld zone configuration files
7
9 /etc/firewalld/zones/zone.xml
10
11 /usr/lib/firewalld/zones/zone.xml
12
14 A firewalld zone configuration file contains the information for a
15 zone. These are the zone description, services, ports, protocols,
16 icmp-blocks, masquerade, forward-ports, intra-zone forwarding and rich
17 language rules in an XML file format. The file name has to be
18 zone_name.xml where length of zone_name is currently limited to 17
19 chars.
20
21 This is the structure of a zone configuration file:
22
23 <?xml version="1.0" encoding="utf-8"?>
24 <zone [version="versionstring"] [target="ACCEPT|%%REJECT%%|DROP"]>
25 [ <interface name="string"/> ]
26 [ <source address="address[/mask]"|mac="MAC"|ipset="ipset"/> ]
27 [ <icmp-block-inversion/> ]
28 [ <forward/> ]
29
30
31
32
33
34 [ <short>short description</short> ]
35 [ <description>description</description> ]
36 [ <service name="string"/> ]
37 [ <port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> ]
38 [ <protocol value="protocol"/> ]
39 [ <icmp-block name="string"/> ]
40 [ <masquerade/> ]
41 [ <forward-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp" [to-port="portid[-portid]"] [to-addr="IP address"]/> ]
42 [ <source-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> ]
43 [
44 <rule [family="ipv4|ipv6"] [priority="priority"]>
45 [ <source address="address[/mask]"|mac="MAC"|ipset="ipset" [invert="True"]/> ]
46 [ <destination address="address[/mask]"|ipset="ipset" [invert="True"]/> ]
47 [
48 <service name="string"/> |
49 <port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> |
50 <protocol value="protocol"/> |
51 <icmp-block name="icmptype"/> |
52 <icmp-type name="icmptype"/> |
53 <masquerade/> |
54 <forward-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp" [to-port="portid[-portid]"] [to-addr="address"]/>
55 ]
56 [
57 <log [prefix="prefix text"] [level="emerg|alert|crit|err|warn|notice|info|debug"]> [<limit value="rate/duration"/>] </log> |
58 <nflog [group="group id"] [prefix="prefix text"] [queue-size="threshold"]> [<limit value="rate/duration"/>] </nflog>
59 ]
60 [ <audit> [<limit value="rate/duration"/>] </audit> ]
61 [
62 <accept> [<limit value="rate/duration"/>] </accept> |
63 <reject [type="rejecttype"]> [<limit value="rate/duration"/>] </reject> |
64 <drop> [<limit value="rate/duration"/>] </drop> |
65 <mark set="mark[/mask]"> [<limit value="rate/duration"/>] </mark>
66 ]
67 </rule>
68 ]
69
70
71 </zone>
72
73
74 The config can contain these tags and attributes. Some of them are
75 mandatory, others optional.
76
77 zone
78 The mandatory zone start and end tag defines the zone. This tag can
79 only be used once in a zone configuration file. There are optional
80 attributes for zones:
81
82 version="string"
83 To give the zone a version.
84
85 target="ACCEPT|%%REJECT%%|DROP"
86 Can be used to accept, reject or drop every packet that doesn't
87 match any rule (port, service, etc.). The ACCEPT target is used in
88 trusted zone to accept every packet not matching any rule. The
89 %%REJECT%% target is used in block zone to reject (with default
90 firewalld reject type) every packet not matching any rule. The DROP
91 target is used in drop zone to drop every packet not matching any
92 rule. If the target is not specified, every packet not matching any
93 rule will be rejected.
94
95 interface
96 Is an optional empty-element tag and can be used several times. It can
97 be used to bind an interface to a zone. You don't need this for
98 NetworkManager-managed interfaces, because NetworkManager binds
99 interfaces to zones automatically. See also 'How to set or change a
100 zone for a connection?' in firewalld.zones(5). You can use it as a
101 fallback mechanism for interfaces that can't be managed via
102 NetworkManager. An interface entry has exactly one attribute:
103
104 name="string"
105 The name of the interface to be bound to the zone.
106
107 source
108 Is an optional empty-element tag and can be used several times. It can
109 be used to bind a source address, address range, a MAC address or an
110 ipset to a zone. A source entry has exactly one of these attributes:
111
112 address="address[/mask]"
113 The source is either an IP address or a network IP address with a
114 mask for IPv4 or IPv6. The network family (IPv4/IPv6) will be
115 automatically discovered. For IPv4, the mask can be a network mask
116 or a plain number. For IPv6 the mask is a plain number. The use of
117 host names is not supported.
118
119 mac="MAC"
120 The source is a MAC address. It must be of the form
121 XX:XX:XX:XX:XX:XX.
122
123 ipset="ipset"
124 The source is an ipset.
125
126 icmp-block-inversion
127 Is an optional empty-element tag and can be used only once in a zone
128 configuration. This flag inverts the icmp block handling. Only enabled
129 ICMP types are accepted and all others are rejected in the zone.
130
131 forward
132 Is an optional empty-element tag and can be used only once in a zone
133 configuration. This flag enables intra-zone forwarding. When enabled,
134 packets will be forwarded between interfaces or sources within a zone,
135 even if the zone's target is not set to ACCEPT.
136
137 short
138 Is an optional start and end tag and is used to give a more readable
139 name.
140
141 description
142 Is an optional start and end tag to have a description.
143
144 service
145 Is an optional empty-element tag and can be used several times to have
146 more than one service entry enabled. A service entry has exactly one
147 attribute:
148
149 name="string"
150 The name of the service to be enabled. To get a list of valid
151 service names firewall-cmd --get-services can be used.
152
153 port
154 Is an optional empty-element tag and can be used several times to have
155 more than one port entry. All attributes of a port entry are mandatory:
156
157 port="portid[-portid]"
158 The port can either be a single port number portid or a port range
159 portid-portid.
160
161 protocol="tcp|udp|sctp|dccp"
162 The protocol can either be tcp, udp, sctp or dccp.
163
164 protocol
165 Is an optional empty-element tag and can be used several times to have
166 more than one protocol entry. All protocol has exactly one attribute:
167
168 value="string"
169 The protocol can be any protocol supported by the system. Please
170 have a look at /etc/protocols for supported protocols.
171
172 icmp-block
173 Is an optional empty-element tag and can be used several times to have
174 more than one icmp-block entry. Each icmp-block tag has exactly one
175 mandatory attribute:
176
177 name="string"
178 The name of the Internet Control Message Protocol (ICMP) type to be
179 blocked. To get a list of valid ICMP types firewall-cmd
180 --get-icmptypes can be used.
181
182 tcp-mss-clamp
183 Is an optional empty-element tag and can be used several times. If left
184 empty maximum segment size is set to 'pmtu'. This tag has exactly one
185 optional attribute:
186
187 value="string"
188 Value can set maximum segment size to 'pmtu' (Path Maximum
189 Transmission Unit) or a user-defined value that is greater than or
190 equal to 536.
191
192 masquerade
193 Is an optional empty-element tag. It can be used only once. If it's
194 present masquerading is enabled.
195
196 forward-port
197 Is an optional empty-element tag and can be used several times to have
198 more than one port or packet forward entry. There are mandatory and
199 also optional attributes for forward ports:
200
201 Mandatory attributes:
202 The local port and protocol to be forwarded.
203
204 port="portid[-portid]"
205 The port can either be a single port number portid or a port
206 range portid-portid.
207
208 protocol="tcp|udp|sctp|dccp"
209 The protocol can either be tcp, udp, sctp or dccp.
210
211 Optional attributes:
212 The destination of the forward. For local forwarding add to-port
213 only. For remote forwarding add to-addr and use to-port optionally
214 if the destination port on the destination machine should be
215 different.
216
217 to-port="portid[-portid]"
218 The destination port or port range to forward to. If omitted,
219 the value of the port= attribute will be used altogether with
220 the to-addr attribute.
221
222 to-addr="address"
223 The destination IP address either for IPv4 or IPv6.
224
225 source-port
226 Is an optional empty-element tag and can be used several times to have
227 more than one source port entry. All attributes of a source port entry
228 are mandatory:
229
230 port="portid[-portid]"
231 The port can either be a single port number portid or a port range
232 portid-portid.
233
234 protocol="tcp|udp|sctp|dccp"
235 The protocol can either be tcp, udp, sctp or dccp.
236
237 rule
238 Is an optional element tag and can be used several times to have more
239 than one rich language rule entry.
240
241 The general rule structure:
242
243 <rule [family="ipv4|ipv6"] [priority="priority"]>
244 [ <source address="address[/mask]"|mac="MAC"|ipset="ipset" [invert="True"]/> ]
245 [ <destination address="address[/mask]"|ipset="ipset" [invert="True"]/> ]
246 [
247 <service name="string"/> |
248 <port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> |
249 <protocol value="protocol"/> |
250 <icmp-block name="icmptype"/> |
251 <icmp-type name="icmptype"/> |
252 <masquerade/> |
253 <forward-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp" [to-port="portid[-portid]"] [to-addr="address"]/> |
254 <source-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> |
255 ]
256 [
257 <log [prefix="prefix text"] [level="emerg|alert|crit|err|warn|notice|info|debug"]> [<limit value="rate/duration"/>] </log> |
258 <nflog [group="group id"] [prefix="prefix text"] [queue-size="threshold"]> [<limit value="rate/duration"/>] </nflog>
259 ]
260 [ <audit> [<limit value="rate/duration"/>] </audit> ]
261 [
262 <accept> [<limit value="rate/duration"/>] </accept> |
263 <reject [type="rejecttype"]> [<limit value="rate/duration"/>] </reject> |
264 <drop> [<limit value="rate/duration"/>] </drop> |
265 <mark set="mark[/mask]"> [<limit value="rate/duration"/>] </mark>
266 ]
267 </rule>
268
269
270 Rule structure for source black or white listing:
271
272 <rule [family="ipv4|ipv6"] [priority="priority"]>
273 <source address="address[/mask]"|mac="MAC"|ipset="ipset" [invert="True"]/>
274 [
275 <log [prefix="prefix text"] [level="emerg|alert|crit|err|warn|notice|info|debug"]> [<limit value="rate/duration"/>] </log> |
276 <nflog [group="group id"] [prefix="prefix text"] [queue-size="threshold"]> [<limit value="rate/duration"/>] </nflog>
277 ]
278 [ <audit> [<limit value="rate/duration"/>] </audit> ]
279 <accept> [<limit value="rate/duration"/>] </accept> |
280 <reject [type="rejecttype"]> [<limit value="rate/duration"/>] </reject> |
281 <drop> [<limit value="rate/duration"/>] </drop>
282 </rule>
283
284
285 For a full description on rich language rules, please have a look at
286 firewalld.richlanguage(5).
287
289 firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1),
290 firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5),
291 firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-
292 offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5),
293 firewalld.zone(5), firewalld.zones(5), firewalld.policy(5),
294 firewalld.policies(5), firewalld.ipset(5), firewalld.helper(5)
295
297 firewalld home page:
298 http://firewalld.org
299
300 More documentation with examples:
301 http://fedoraproject.org/wiki/FirewallD
302
304 Thomas Woerner <twoerner@redhat.com>
305 Developer
306
307 Jiri Popelka <jpopelka@redhat.com>
308 Developer
309
310 Eric Garver <eric@garver.life>
311 Developer
312
313
314
315firewalld 1.2.3 FIREWALLD.ZONE(5)