1FIREWALLD.ZONE(5) firewalld.zone FIREWALLD.ZONE(5)
2
3
4
6 firewalld.zone - firewalld zone configuration files
7
9 /etc/firewalld/zones/zone.xml
10
11 /usr/lib/firewalld/zones/zone.xml
12
14 A firewalld zone configuration file contains the information for a
15 zone. These are the zone description, services, ports, protocols,
16 icmp-blocks, masquerade, forward-ports, intra-zone forwarding and rich
17 language rules in an XML file format. The file name has to be
18 zone_name.xml where length of zone_name is currently limited to 17
19 chars.
20
21 This is the structure of a zone configuration file:
22
23 <?xml version="1.0" encoding="utf-8"?>
24 <zone [version="versionstring"] [target="ACCEPT|%%REJECT%%|DROP"]>
25 [ <interface name="string"/> ]
26 [ <source address="address[/mask]"|mac="MAC"|ipset="ipset"/> ]
27 [ <icmp-block-inversion/> ]
28 [ <forward/> ]
29
30
31
32
33
34 [ <short>short description</short> ]
35 [ <description>description</description> ]
36 [ <service name="string"/> ]
37 [ <port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> ]
38 [ <protocol value="protocol"/> ]
39 [ <icmp-block name="string"/> ]
40 [ <masquerade/> ]
41 [ <forward-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp" [to-port="portid[-portid]"] [to-addr="IP address"]/> ]
42 [ <source-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> ]
43 [
44 <rule [family="ipv4|ipv6"] [priority="priority"]>
45 [ <source address="address[/mask]"|mac="MAC"|ipset="ipset" [invert="True"]/> ]
46 [ <destination address="address[/mask]"|ipset="ipset" [invert="True"]/> ]
47 [
48 <service name="string"/> |
49 <port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> |
50 <protocol value="protocol"/> |
51 <icmp-block name="icmptype"/> |
52 <icmp-type name="icmptype"/> |
53 <masquerade/> |
54 <forward-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp" [to-port="portid[-portid]"] [to-addr="address"]/>
55 ]
56 [
57 <log [prefix="prefix text"] [level="emerg|alert|crit|err|warn|notice|info|debug"]> [<limit value="rate/duration"/>] </log> |
58 <nflog [group="group id"] [prefix="prefix text"] [queue-size="threshold"]> [<limit value="rate/duration"/>] </nflog>
59 ]
60 [ <audit> [<limit value="rate/duration"/>] </audit> ]
61 [
62 <accept> [<limit value="rate/duration"/>] </accept> |
63 <reject [type="rejecttype"]> [<limit value="rate/duration"/>] </reject> |
64 <drop> [<limit value="rate/duration"/>] </drop> |
65 <mark set="mark[/mask]"> [<limit value="rate/duration"/>] </mark>
66 ]
67 </rule>
68 ]
69
70
71 </zone>
72
73
74 The config can contain these tags and attributes. Some of them are
75 mandatory, others optional.
76
77 zone
78 The mandatory zone start and end tag defines the zone. This tag can
79 only be used once in a zone configuration file. There are optional
80 attributes for zones:
81
82 version="string"
83 To give the zone a version.
84
85 target="ACCEPT|%%REJECT%%|DROP"
86 Can be used to accept, reject or drop every packet that doesn't
87 match any rule (port, service, etc.). The ACCEPT target is used in
88 trusted zone to accept every packet not matching any rule. The
89 %%REJECT%% target is used in block zone to reject (with default
90 firewalld reject type) every packet not matching any rule. The DROP
91 target is used in drop zone to drop every packet not matching any
92 rule. If the target is not specified, every packet not matching any
93 rule will be rejected.
94
95 interface
96 Is an optional empty-element tag and can be used several times. It can
97 be used to bind an interface to a zone. You don't need this for
98 NetworkManager-managed interfaces, because NetworkManager binds
99 interfaces to zones automatically. See also 'How to set or change a
100 zone for a connection?' in firewalld.zones(5). You can use it as a
101 fallback mechanism for interfaces that can't be managed via
102 NetworkManager. An interface entry has exactly one attribute:
103
104 name="string"
105 The name of the interface to be bound to the zone.
106
107 source
108 Is an optional empty-element tag and can be used several times. It can
109 be used to bind a source address, address range, a MAC address or an
110 ipset to a zone. A source entry has exactly one of these attributes:
111
112 address="address[/mask]"
113 The source is either an IP address or a network IP address with a
114 mask for IPv4 or IPv6. The network family (IPv4/IPv6) will be
115 automatically discovered. For IPv4, the mask can be a network mask
116 or a plain number. For IPv6 the mask is a plain number. The use of
117 host names is not supported.
118
119 mac="MAC"
120 The source is a MAC address. It must be of the form
121 XX:XX:XX:XX:XX:XX.
122
123 ipset="ipset"
124 The source is an ipset.
125
126 icmp-block-inversion
127 Is an optional empty-element tag and can be used only once in a zone
128 configuration. This flag inverts the icmp block handling. Only enabled
129 ICMP types are accepted and all others are rejected in the zone.
130
131 forward
132 Is an optional empty-element tag and can be used only once in a zone
133 configuration. This flag enables intra-zone forwarding. When enabled,
134 packets will be forwarded between interfaces or sources within a zone,
135 even if the zone's target is not set to ACCEPT.
136
137 short
138 Is an optional start and end tag and is used to give a more readable
139 name.
140
141 description
142 Is an optional start and end tag to have a description.
143
144 service
145 Is an optional empty-element tag and can be used several times to have
146 more than one service entry enabled. A service entry has exactly one
147 attribute:
148
149 name="string"
150 The name of the service to be enabled. To get a list of valid
151 service names firewall-cmd --get-services can be used.
152
153 port
154 Is an optional empty-element tag and can be used several times to have
155 more than one port entry. All attributes of a port entry are mandatory:
156
157 port="portid[-portid]"
158 The port can either be a single port number portid or a port range
159 portid-portid.
160
161 protocol="tcp|udp|sctp|dccp"
162 The protocol can either be tcp, udp, sctp or dccp.
163
164 protocol
165 Is an optional empty-element tag and can be used several times to have
166 more than one protocol entry. All protocol has exactly one attribute:
167
168 value="string"
169 The protocol can be any protocol supported by the system. Please
170 have a look at /etc/protocols for supported protocols.
171
172 icmp-block
173 Is an optional empty-element tag and can be used several times to have
174 more than one icmp-block entry. Each icmp-block tag has exactly one
175 mandatory attribute:
176
177 name="string"
178 The name of the Internet Control Message Protocol (ICMP) type to be
179 blocked. To get a list of valid ICMP types firewall-cmd
180 --get-icmptypes can be used.
181
182 masquerade
183 Is an optional empty-element tag. It can be used only once. If it's
184 present masquerading is enabled.
185
186 forward-port
187 Is an optional empty-element tag and can be used several times to have
188 more than one port or packet forward entry. There are mandatory and
189 also optional attributes for forward ports:
190
191 Mandatory attributes:
192 The local port and protocol to be forwarded.
193
194 port="portid[-portid]"
195 The port can either be a single port number portid or a port
196 range portid-portid.
197
198 protocol="tcp|udp|sctp|dccp"
199 The protocol can either be tcp, udp, sctp or dccp.
200
201 Optional attributes:
202 The destination of the forward. For local forwarding add to-port
203 only. For remote forwarding add to-addr and use to-port optionally
204 if the destination port on the destination machine should be
205 different.
206
207 to-port="portid[-portid]"
208 The destination port or port range to forward to. If omitted,
209 the value of the port= attribute will be used altogether with
210 the to-addr attribute.
211
212 to-addr="address"
213 The destination IP address either for IPv4 or IPv6.
214
215 source-port
216 Is an optional empty-element tag and can be used several times to have
217 more than one source port entry. All attributes of a source port entry
218 are mandatory:
219
220 port="portid[-portid]"
221 The port can either be a single port number portid or a port range
222 portid-portid.
223
224 protocol="tcp|udp|sctp|dccp"
225 The protocol can either be tcp, udp, sctp or dccp.
226
227 rule
228 Is an optional element tag and can be used several times to have more
229 than one rich language rule entry.
230
231 The general rule structure:
232
233 <rule [family="ipv4|ipv6"] [priority="priority"]>
234 [ <source address="address[/mask]"|mac="MAC"|ipset="ipset" [invert="True"]/> ]
235 [ <destination address="address[/mask]"|ipset="ipset" [invert="True"]/> ]
236 [
237 <service name="string"/> |
238 <port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> |
239 <protocol value="protocol"/> |
240 <icmp-block name="icmptype"/> |
241 <icmp-type name="icmptype"/> |
242 <masquerade/> |
243 <forward-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp" [to-port="portid[-portid]"] [to-addr="address"]/> |
244 <source-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> |
245 ]
246 [
247 <log [prefix="prefix text"] [level="emerg|alert|crit|err|warn|notice|info|debug"]> [<limit value="rate/duration"/>] </log> |
248 <nflog [group="group id"] [prefix="prefix text"] [queue-size="threshold"]> [<limit value="rate/duration"/>] </nflog>
249 ]
250 [ <audit> [<limit value="rate/duration"/>] </audit> ]
251 [
252 <accept> [<limit value="rate/duration"/>] </accept> |
253 <reject [type="rejecttype"]> [<limit value="rate/duration"/>] </reject> |
254 <drop> [<limit value="rate/duration"/>] </drop> |
255 <mark set="mark[/mask]"> [<limit value="rate/duration"/>] </mark>
256 ]
257 </rule>
258
259
260 Rule structure for source black or white listing:
261
262 <rule [family="ipv4|ipv6"] [priority="priority"]>
263 <source address="address[/mask]"|mac="MAC"|ipset="ipset" [invert="True"]/>
264 [
265 <log [prefix="prefix text"] [level="emerg|alert|crit|err|warn|notice|info|debug"]> [<limit value="rate/duration"/>] </log> |
266 <nflog [group="group id"] [prefix="prefix text"] [queue-size="threshold"]> [<limit value="rate/duration"/>] </nflog>
267 ]
268 [ <audit> [<limit value="rate/duration"/>] </audit> ]
269 <accept> [<limit value="rate/duration"/>] </accept> |
270 <reject [type="rejecttype"]> [<limit value="rate/duration"/>] </reject> |
271 <drop> [<limit value="rate/duration"/>] </drop>
272 </rule>
273
274
275 For a full description on rich language rules, please have a look at
276 firewalld.richlanguage(5).
277
279 firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1),
280 firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5),
281 firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-
282 offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5),
283 firewalld.zone(5), firewalld.zones(5), firewalld.policy(5),
284 firewalld.policies(5), firewalld.ipset(5), firewalld.helper(5)
285
287 firewalld home page:
288 http://firewalld.org
289
290 More documentation with examples:
291 http://fedoraproject.org/wiki/FirewallD
292
294 Thomas Woerner <twoerner@redhat.com>
295 Developer
296
297 Jiri Popelka <jpopelka@redhat.com>
298 Developer
299
300 Eric Garver <eric@garver.life>
301 Developer
302
303
304
305firewalld 1.3.4 FIREWALLD.ZONE(5)