1FIREWALLD.ZONE(5) firewalld.zone FIREWALLD.ZONE(5)
2
6 firewalld.zone - firewalld zone configuration files
7
9 /etc/firewalld/zones/zone.xml
10 /usr/lib/firewalld/zones/zone.xml
11
15 A firewalld zone configuration file contains the information for a
16 zone. These are the zone description, services, ports, protocols,
17 icmp-blocks, masquerade, forward-ports and rich language rules in an
18 XML file format. The file name has to be zone_name.xml where length of
19 zone_name is currently limited to 17 chars.
20 This is the structure of a zone configuration file:
22 <?xml version="1.0" encoding="utf-8"?>
24 <zone [version="versionstring"] [target="ACCEPT|%%REJECT%%|DROP"]>
25 [ <short>short description</short> ]
26 [ <description>description</description> ]
27 [ <interface name="string"/> ]
28 [ <source address="address[/mask]"|mac="MAC"|ipset="ipset"/> ]
29 [ <service name="string"/> ]
30 [ <port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> ]
31 [ <protocol value="protocol"/> ]
32 [ <icmp-block name="string"/> ]
33 [ <icmp-block-inversion/> ]
34 [ <masquerade/> ]
35 [ <forward-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp" [to-port="portid[-portid]"] [to-addr="IP address"]/> ]
36 [ <source-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> ]
37 [
38 <rule [family="ipv4|ipv6"]>
39 [ <source address="address[/mask]"|mac="MAC"|ipset="ipset" [invert="True"]/> ]
40 [ <destination address="address[/mask]" [invert="True"]/> ]
41 [
42 <service name="string"/> |
43 <port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> |
44 <protocol value="protocol"/> |
45 <icmp-block name="icmptype"/> |
46 <icmp-type name="icmptype"/> |
47 <masquerade/> |
48 <forward-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp" [to-port="portid[-portid]"] [to-addr="address"]/>
49 ]
50 [ <log [prefix="prefixtext"] [level="emerg|alert|crit|err|warn|notice|info|debug"]> [<limit value="rate/duration"/>] </log> ]
51 [ <audit> [<limit value="rate/duration"/>] </audit> ]
52 [
53 <accept> [<limit value="rate/duration"/>] </accept> |
54 <reject [type="rejecttype"]> [<limit value="rate/duration"/>] </reject> |
55 <drop> [<limit value="rate/duration"/>] </drop> |
56 <mark set="mark[/mask]"> [<limit value="rate/duration"/>] </mark>
57 ]
58 </rule>
59 ]
60 </zone>
61 The config can contain these tags and attributes. Some of them are
64 mandatory, others optional.
65 zone
67 The mandatory zone start and end tag defines the zone. This tag can
68 only be used once in a zone configuration file. There are optional
69 attributes for zones:
70 version="string"
72 To give the zone a version.
73 target="ACCEPT|%%REJECT%%|DROP"
75 Can be used to accept, reject or drop every packet that doesn't
76 match any rule (port, service, etc.). The ACCEPT target is used in
77 trusted zone to accept every packet not matching any rule. The
78 %%REJECT%% target is used in block zone to reject (with default
79 firewalld reject type) every packet not matching any rule. The DROP
80 target is used in drop zone to drop every packet not matching any
81 rule. If the target is not specified, every packet not matching any
82 rule will be rejected.
83 short
85 Is an optional start and end tag and is used to give a zone a more
86 readable name.
87 description
89 Is an optional start and end tag to have a description for a zone.
90 interface
92 Is an optional empty-element tag and can be used several times. It can
93 be used to bind an interface to a zone. You don't need this for
94 NetworkManager-managed interfaces, because NetworkManager binds
95 interfaces to zones automatically. See also 'How to set or change a
96 zone for a connection?' in firewalld.zones(5). You can use it as a
97 fallback mechanism for interfaces that can't be managed via
98 NetworkManager. An interface entry has exactly one attribute:
99 name="string"
101 The name of the interface to be bound to the zone.
102 source
104 Is an optional empty-element tag and can be used several times. It can
105 be used to bind a source address, address range, a MAC address or an
106 ipset to a zone. A source entry has exactly one of these attributes:
107 address="address[/mask]"
109 The source is either an IP address or a network IP address with a
110 mask for IPv4 or IPv6. The network family (IPv4/IPv6) will be
111 automatically discovered. For IPv4, the mask can be a network mask
112 or a plain number. For IPv6 the mask is a plain number. The use of
113 host names is not supported.
114 mac="MAC"
116 The source is a MAC address. It must be of the form
117 XX:XX:XX:XX:XX:XX.
118 ipset="ipset"
120 The source is an ipset.
121 service
123 Is an optional empty-element tag and can be used several times to have
124 more than one service entry enabled. A service entry has exactly one
125 attribute:
126 name="string"
128 The name of the service to be enabled. To get a list of valid
129 service names firewall-cmd --list=services can be used.
130 port
132 Is an optional empty-element tag and can be used several times to have
133 more than one port entry. All attributes of a port entry are mandatory:
134 port="portid[-portid]"
136 The port can either be a single port number portid or a port range
137 portid-portid.
138 protocol="tcp|udp|sctp|dccp"
140 The protocol can either be tcp, udp, sctp or dccp.
141 protocol
143 Is an optional empty-element tag and can be used several times to have
144 more than one protocol entry. All protocol has exactly one attribute:
145 value="string"
147 The protocol can be any protocol supported by the system. Please
148 have a look at /etc/protocols for supported protocols.
149 icmp-block
151 Is an optional empty-element tag and can be used several times to have
152 more than one icmp-block entry. Each icmp-block tag has exactly one
153 mandatory attribute:
154 name="string"
156 The name of the Internet Control Message Protocol (ICMP) type to be
157 blocked. To get a list of valid ICMP types firewall-cmd
158 --list=icmptypes can be used.
159 icmp-block-inversion
161 Is an optional empty-element tag and can be used only once in a zone
162 configuration. This flag inverts the icmp block handling. Only enabled
163 ICMP types are accepted and all others are rejected in the zone.
164 masquerade
166 Is an optional empty-element tag. It can be used only once in a zone
167 configuration. If it's present masquerading is enabled for the zone. If
168 you want to enable masquerading, you should enable it in the zone bound
169 to the external interface.
170 forward-port
172 Is an optional empty-element tag and can be used several times to have
173 more than one port or packet forward entry. There are mandatory and
174 also optional attributes for forward ports:
175 Mandatory attributes:
177 The local port and protocol to be forwarded.
178 port="portid[-portid]"
180 The port can either be a single port number portid or a port
181 range portid-portid.
182 protocol="tcp|udp|sctp|dccp"
184 The protocol can either be tcp, udp, sctp or dccp.
185 Optional attributes:
187 The destination of the forward. For local forwarding add to-port
188 only. For remote forwarding add to-addr and use to-port optionally
189 if the destination port on the destination machine should be
190 different.
191 to-port="portid[-portid]"
193 The destination port or port range to forward to. If omitted,
194 the value of the port= attribute will be used altogether with
195 the to-addr attribute.
196 to-addr="address"
198 The destination IP address either for IPv4 or IPv6.
199 source-port
201 Is an optional empty-element tag and can be used several times to have
202 more than one source port entry. All attributes of a source port entry
203 are mandatory:
204 port="portid[-portid]"
206 The port can either be a single port number portid or a port range
207 portid-portid.
208 protocol="tcp|udp|sctp|dccp"
210 The protocol can either be tcp, udp, sctp or dccp.
211 rule
213 Is an optional element tag and can be used several times to have more
214 than one rich language rule entry.
215 The general rule structure:
217 <rule [family="ipv4|ipv6"]>
219 [ <source address="address[/mask]" [invert="True"]/> ]
220 [ <destination address="address[/mask]" [invert="True"]/> ]
221 [
222 <service name="string"/> |
223 <port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> |
224 <protocol value="protocol"/> |
225 <icmp-block name="icmptype"/> |
226 <icmp-type name="icmptype"/> |
227 <masquerade/> |
228 <forward-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp" [to-port="portid[-portid]"] [to-addr="address"]/> |
229 <source-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> |
230 ]
231 [ <log [prefix="prefixtext"] [level="emerg|alert|crit|err|warn|notice|info|debug"]/> [<limit value="rate/duration"/>] </log> ]
232 [ <audit> [<limit value="rate/duration"/>] </audit> ]
233 [
234 <accept> [<limit value="rate/duration"/>] </accept> |
235 <reject [type="rejecttype"]> [<limit value="rate/duration"/>] </reject> |
236 <drop> [<limit value="rate/duration"/>] </drop> |
237 <mark set="mark[/mask]"> [<limit value="rate/duration"/>] </mark>
238 ]
239 </rule>
241 Rule structure for source black or white listing:
244 <rule [family="ipv4|ipv6"]>
246 <source address="address[/mask]" [invert="True"]/>
247 [ <log [prefix="prefixtext"] [level="emerg|alert|crit|err|warn|notice|info|debug"]/> [<limit value="rate/duration"/>] </log> ]
248 [ <audit> [<limit value="rate/duration"/>] </audit> ]
249 <accept> [<limit value="rate/duration"/>] </accept> |
250 <reject [type="rejecttype"]> [<limit value="rate/duration"/>] </reject> |
251 <drop> [<limit value="rate/duration"/>] </drop>
252 </rule>
253 For a full description on rich language rules, please have a look at
256 firewalld.richlanguage(5).
257
259 firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1),
260 firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5),
261 firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-
262 offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5),
263 firewalld.zone(5), firewalld.zones(5), firewalld.ipset(5),
264 firewalld.helper(5)
265
267 firewalld home page:
268 http://firewalld.org
269 More documentation with examples:
271 http://fedoraproject.org/wiki/FirewallD
272
274 Thomas Woerner <twoerner@redhat.com>
275 Developer
276 Jiri Popelka <jpopelka@redhat.com>
278 Developer
279firewalld 0.6.4 FIREWALLD.ZONE(5)