1FIREWALLD.ZONE(5) firewalld.zone FIREWALLD.ZONE(5)
2
6 firewalld.zone - firewalld zone configuration files
7
9 /etc/firewalld/zones/zone.xml
10 /usr/lib/firewalld/zones/zone.xml
12
14 A firewalld zone configuration file contains the information for a
15 zone. These are the zone description, services, ports, protocols,
16 icmp-blocks, masquerade, forward-ports and rich language rules in an
17 XML file format. The file name has to be zone_name.xml where length of
18 zone_name is currently limited to 17 chars.
19 This is the structure of a zone configuration file:
21 <?xml version="1.0" encoding="utf-8"?>
23 <zone [version="versionstring"] [target="ACCEPT|%%REJECT%%|DROP"]>
24 [ <interface name="string"/> ]
25 [ <source address="address[/mask]"|mac="MAC"|ipset="ipset"/> ]
26 [ <icmp-block-inversion/> ]
27 [ <short>short description</short> ]
33 [ <description>description</description> ]
34 [ <service name="string"/> ]
35 [ <port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> ]
36 [ <protocol value="protocol"/> ]
37 [ <icmp-block name="string"/> ]
38 [ <masquerade/> ]
39 [ <forward-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp" [to-port="portid[-portid]"] [to-addr="IP address"]/> ]
40 [ <source-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> ]
41 [
42 <rule [family="ipv4|ipv6"]>
43 [ <source address="address[/mask]"|mac="MAC"|ipset="ipset" [invert="True"]/> ]
44 [ <destination address="address[/mask]" [invert="True"]/> ]
45 [
46 <service name="string"/> |
47 <port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> |
48 <protocol value="protocol"/> |
49 <icmp-block name="icmptype"/> |
50 <icmp-type name="icmptype"/> |
51 <masquerade/> |
52 <forward-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp" [to-port="portid[-portid]"] [to-addr="address"]/>
53 ]
54 [ <log [prefix="prefixtext"] [level="emerg|alert|crit|err|warn|notice|info|debug"]> [<limit value="rate/duration"/>] </log> ]
55 [ <audit> [<limit value="rate/duration"/>] </audit> ]
56 [
57 <accept> [<limit value="rate/duration"/>] </accept> |
58 <reject [type="rejecttype"]> [<limit value="rate/duration"/>] </reject> |
59 <drop> [<limit value="rate/duration"/>] </drop> |
60 <mark set="mark[/mask]"> [<limit value="rate/duration"/>] </mark>
61 ]
62 </rule>
63 ]
64 </zone>
67 The config can contain these tags and attributes. Some of them are
70 mandatory, others optional.
71 zone
73 The mandatory zone start and end tag defines the zone. This tag can
74 only be used once in a zone configuration file. There are optional
75 attributes for zones:
76 version="string"
78 To give the zone a version.
79 target="ACCEPT|%%REJECT%%|DROP"
81 Can be used to accept, reject or drop every packet that doesn't
82 match any rule (port, service, etc.). The ACCEPT target is used in
83 trusted zone to accept every packet not matching any rule. The
84 %%REJECT%% target is used in block zone to reject (with default
85 firewalld reject type) every packet not matching any rule. The DROP
86 target is used in drop zone to drop every packet not matching any
87 rule. If the target is not specified, every packet not matching any
88 rule will be rejected.
89 interface
91 Is an optional empty-element tag and can be used several times. It can
92 be used to bind an interface to a zone. You don't need this for
93 NetworkManager-managed interfaces, because NetworkManager binds
94 interfaces to zones automatically. See also 'How to set or change a
95 zone for a connection?' in firewalld.zones(5). You can use it as a
96 fallback mechanism for interfaces that can't be managed via
97 NetworkManager. An interface entry has exactly one attribute:
98 name="string"
100 The name of the interface to be bound to the zone.
101 source
103 Is an optional empty-element tag and can be used several times. It can
104 be used to bind a source address, address range, a MAC address or an
105 ipset to a zone. A source entry has exactly one of these attributes:
106 address="address[/mask]"
108 The source is either an IP address or a network IP address with a
109 mask for IPv4 or IPv6. The network family (IPv4/IPv6) will be
110 automatically discovered. For IPv4, the mask can be a network mask
111 or a plain number. For IPv6 the mask is a plain number. The use of
112 host names is not supported.
113 mac="MAC"
115 The source is a MAC address. It must be of the form
116 XX:XX:XX:XX:XX:XX.
117 ipset="ipset"
119 The source is an ipset.
120 icmp-block-inversion
122 Is an optional empty-element tag and can be used only once in a zone
123 configuration. This flag inverts the icmp block handling. Only enabled
124 ICMP types are accepted and all others are rejected in the zone.
125 short
127 Is an optional start and end tag and is used to give a more readable
128 name.
129 description
131 Is an optional start and end tag to have a description.
132 service
134 Is an optional empty-element tag and can be used several times to have
135 more than one service entry enabled. A service entry has exactly one
136 attribute:
137 name="string"
139 The name of the service to be enabled. To get a list of valid
140 service names firewall-cmd --list=services can be used.
141 port
143 Is an optional empty-element tag and can be used several times to have
144 more than one port entry. All attributes of a port entry are mandatory:
145 port="portid[-portid]"
147 The port can either be a single port number portid or a port range
148 portid-portid.
149 protocol="tcp|udp|sctp|dccp"
151 The protocol can either be tcp, udp, sctp or dccp.
152 protocol
154 Is an optional empty-element tag and can be used several times to have
155 more than one protocol entry. All protocol has exactly one attribute:
156 value="string"
158 The protocol can be any protocol supported by the system. Please
159 have a look at /etc/protocols for supported protocols.
160 icmp-block
162 Is an optional empty-element tag and can be used several times to have
163 more than one icmp-block entry. Each icmp-block tag has exactly one
164 mandatory attribute:
165 name="string"
167 The name of the Internet Control Message Protocol (ICMP) type to be
168 blocked. To get a list of valid ICMP types firewall-cmd
169 --list=icmptypes can be used.
170 masquerade
172 Is an optional empty-element tag. It can be used only once. If it's
173 present masquerading is enabled.
174 forward-port
176 Is an optional empty-element tag and can be used several times to have
177 more than one port or packet forward entry. There are mandatory and
178 also optional attributes for forward ports:
179 Mandatory attributes:
181 The local port and protocol to be forwarded.
182 port="portid[-portid]"
184 The port can either be a single port number portid or a port
185 range portid-portid.
186 protocol="tcp|udp|sctp|dccp"
188 The protocol can either be tcp, udp, sctp or dccp.
189 Optional attributes:
191 The destination of the forward. For local forwarding add to-port
192 only. For remote forwarding add to-addr and use to-port optionally
193 if the destination port on the destination machine should be
194 different.
195 to-port="portid[-portid]"
197 The destination port or port range to forward to. If omitted,
198 the value of the port= attribute will be used altogether with
199 the to-addr attribute.
200 to-addr="address"
202 The destination IP address either for IPv4 or IPv6.
203 source-port
205 Is an optional empty-element tag and can be used several times to have
206 more than one source port entry. All attributes of a source port entry
207 are mandatory:
208 port="portid[-portid]"
210 The port can either be a single port number portid or a port range
211 portid-portid.
212 protocol="tcp|udp|sctp|dccp"
214 The protocol can either be tcp, udp, sctp or dccp.
215 rule
217 Is an optional element tag and can be used several times to have more
218 than one rich language rule entry.
219 The general rule structure:
221 <rule [family="ipv4|ipv6"]>
223 [ <source address="address[/mask]" [invert="True"]/> ]
224 [ <destination address="address[/mask]" [invert="True"]/> ]
225 [
226 <service name="string"/> |
227 <port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> |
228 <protocol value="protocol"/> |
229 <icmp-block name="icmptype"/> |
230 <icmp-type name="icmptype"/> |
231 <masquerade/> |
232 <forward-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp" [to-port="portid[-portid]"] [to-addr="address"]/> |
233 <source-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> |
234 ]
235 [ <log [prefix="prefixtext"] [level="emerg|alert|crit|err|warn|notice|info|debug"]/> [<limit value="rate/duration"/>] </log> ]
236 [ <audit> [<limit value="rate/duration"/>] </audit> ]
237 [
238 <accept> [<limit value="rate/duration"/>] </accept> |
239 <reject [type="rejecttype"]> [<limit value="rate/duration"/>] </reject> |
240 <drop> [<limit value="rate/duration"/>] </drop> |
241 <mark set="mark[/mask]"> [<limit value="rate/duration"/>] </mark>
242 ]
243 </rule>
244 Rule structure for source black or white listing:
247 <rule [family="ipv4|ipv6"]>
249 <source address="address[/mask]" [invert="True"]/>
250 [ <log [prefix="prefixtext"] [level="emerg|alert|crit|err|warn|notice|info|debug"]/> [<limit value="rate/duration"/>] </log> ]
251 [ <audit> [<limit value="rate/duration"/>] </audit> ]
252 <accept> [<limit value="rate/duration"/>] </accept> |
253 <reject [type="rejecttype"]> [<limit value="rate/duration"/>] </reject> |
254 <drop> [<limit value="rate/duration"/>] </drop>
255 </rule>
256 For a full description on rich language rules, please have a look at
259 firewalld.richlanguage(5).
260
262 firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1),
263 firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5),
264 firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-
265 offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5),
266 firewalld.zone(5), firewalld.zones(5), firewalld.policy(5),
267 firewalld.policies(5), firewalld.ipset(5), firewalld.helper(5)
268
270 firewalld home page:
271 http://firewalld.org
272 More documentation with examples:
274 http://fedoraproject.org/wiki/FirewallD
275
277 Thomas Woerner <twoerner@redhat.com>
278 Developer
279 Jiri Popelka <jpopelka@redhat.com>
281 Developer
282 Eric Garver <eric@garver.life>
284 Developer
285firewalld 0.9.3 FIREWALLD.ZONE(5)