1FIREWALLD.ZONE(5) firewalld.zone FIREWALLD.ZONE(5)
2
6 firewalld.zone - firewalld zone configuration files
7
9 /etc/firewalld/zones/zone.xml
10 /usr/lib/firewalld/zones/zone.xml
12
14 A firewalld zone configuration file contains the information for a
15 zone. These are the zone description, services, ports, protocols,
16 icmp-blocks, masquerade, forward-ports, intra-zone forwarding and rich
17 language rules in an XML file format. The file name has to be
18 zone_name.xml where length of zone_name is currently limited to 17
19 chars.
20 This is the structure of a zone configuration file:
22 <?xml version="1.0" encoding="utf-8"?>
24 <zone [version="versionstring"] [target="ACCEPT|%%REJECT%%|DROP"]>
25 [ <interface name="string"/> ]
26 [ <source address="address[/mask]"|mac="MAC"|ipset="ipset"/> ]
27 [ <icmp-block-inversion/> ]
28 [ <forward/> ]
29 [ <short>short description</short> ]
35 [ <description>description</description> ]
36 [ <service name="string"/> ]
37 [ <port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> ]
38 [ <protocol value="protocol"/> ]
39 [ <icmp-block name="string"/> ]
40 [ <masquerade/> ]
41 [ <forward-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp" [to-port="portid[-portid]"] [to-addr="IP address"]/> ]
42 [ <source-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> ]
43 [
44 <rule [family="ipv4|ipv6"]>
45 [ <source address="address[/mask]"|mac="MAC"|ipset="ipset" [invert="True"]/> ]
46 [ <destination address="address[/mask]" [invert="True"]/> ]
47 [
48 <service name="string"/> |
49 <port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> |
50 <protocol value="protocol"/> |
51 <icmp-block name="icmptype"/> |
52 <icmp-type name="icmptype"/> |
53 <masquerade/> |
54 <forward-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp" [to-port="portid[-portid]"] [to-addr="address"]/>
55 ]
56 [ <log [prefix="prefixtext"] [level="emerg|alert|crit|err|warn|notice|info|debug"]> [<limit value="rate/duration"/>] </log> ]
57 [ <audit> [<limit value="rate/duration"/>] </audit> ]
58 [
59 <accept> [<limit value="rate/duration"/>] </accept> |
60 <reject [type="rejecttype"]> [<limit value="rate/duration"/>] </reject> |
61 <drop> [<limit value="rate/duration"/>] </drop> |
62 <mark set="mark[/mask]"> [<limit value="rate/duration"/>] </mark>
63 ]
64 </rule>
65 ]
66 </zone>
69 The config can contain these tags and attributes. Some of them are
72 mandatory, others optional.
73 zone
75 The mandatory zone start and end tag defines the zone. This tag can
76 only be used once in a zone configuration file. There are optional
77 attributes for zones:
78 version="string"
80 To give the zone a version.
81 target="ACCEPT|%%REJECT%%|DROP"
83 Can be used to accept, reject or drop every packet that doesn't
84 match any rule (port, service, etc.). The ACCEPT target is used in
85 trusted zone to accept every packet not matching any rule. The
86 %%REJECT%% target is used in block zone to reject (with default
87 firewalld reject type) every packet not matching any rule. The DROP
88 target is used in drop zone to drop every packet not matching any
89 rule. If the target is not specified, every packet not matching any
90 rule will be rejected.
91 interface
93 Is an optional empty-element tag and can be used several times. It can
94 be used to bind an interface to a zone. You don't need this for
95 NetworkManager-managed interfaces, because NetworkManager binds
96 interfaces to zones automatically. See also 'How to set or change a
97 zone for a connection?' in firewalld.zones(5). You can use it as a
98 fallback mechanism for interfaces that can't be managed via
99 NetworkManager. An interface entry has exactly one attribute:
100 name="string"
102 The name of the interface to be bound to the zone.
103 source
105 Is an optional empty-element tag and can be used several times. It can
106 be used to bind a source address, address range, a MAC address or an
107 ipset to a zone. A source entry has exactly one of these attributes:
108 address="address[/mask]"
110 The source is either an IP address or a network IP address with a
111 mask for IPv4 or IPv6. The network family (IPv4/IPv6) will be
112 automatically discovered. For IPv4, the mask can be a network mask
113 or a plain number. For IPv6 the mask is a plain number. The use of
114 host names is not supported.
115 mac="MAC"
117 The source is a MAC address. It must be of the form
118 XX:XX:XX:XX:XX:XX.
119 ipset="ipset"
121 The source is an ipset.
122 icmp-block-inversion
124 Is an optional empty-element tag and can be used only once in a zone
125 configuration. This flag inverts the icmp block handling. Only enabled
126 ICMP types are accepted and all others are rejected in the zone.
127 forward
129 Is an optional empty-element tag and can be used only once in a zone
130 configuration. This flag enables intra-zone forwarding. When enabled,
131 packets will be forwarded between interfaces or sources within a zone,
132 even if the zone's target is not set to ACCEPT.
133 short
135 Is an optional start and end tag and is used to give a more readable
136 name.
137 description
139 Is an optional start and end tag to have a description.
140 service
142 Is an optional empty-element tag and can be used several times to have
143 more than one service entry enabled. A service entry has exactly one
144 attribute:
145 name="string"
147 The name of the service to be enabled. To get a list of valid
148 service names firewall-cmd --get-services can be used.
149 port
151 Is an optional empty-element tag and can be used several times to have
152 more than one port entry. All attributes of a port entry are mandatory:
153 port="portid[-portid]"
155 The port can either be a single port number portid or a port range
156 portid-portid.
157 protocol="tcp|udp|sctp|dccp"
159 The protocol can either be tcp, udp, sctp or dccp.
160 protocol
162 Is an optional empty-element tag and can be used several times to have
163 more than one protocol entry. All protocol has exactly one attribute:
164 value="string"
166 The protocol can be any protocol supported by the system. Please
167 have a look at /etc/protocols for supported protocols.
168 icmp-block
170 Is an optional empty-element tag and can be used several times to have
171 more than one icmp-block entry. Each icmp-block tag has exactly one
172 mandatory attribute:
173 name="string"
175 The name of the Internet Control Message Protocol (ICMP) type to be
176 blocked. To get a list of valid ICMP types firewall-cmd
177 --get-icmptypes can be used.
178 tcp-mss-clamp
180 Is an optional empty-element tag and can be used several times. If left
181 empty maximum segment size is set to 'pmtu'. This tag has exactly one
182 optional attribute:
183 value="string"
185 Value can set maximum segment size to 'pmtu' (Path Maximum
186 Transmission Unit) or a user-defined value that is greater than or
187 equal to 536.
188 masquerade
190 Is an optional empty-element tag. It can be used only once. If it's
191 present masquerading is enabled.
192 forward-port
194 Is an optional empty-element tag and can be used several times to have
195 more than one port or packet forward entry. There are mandatory and
196 also optional attributes for forward ports:
197 Mandatory attributes:
199 The local port and protocol to be forwarded.
200 port="portid[-portid]"
202 The port can either be a single port number portid or a port
203 range portid-portid.
204 protocol="tcp|udp|sctp|dccp"
206 The protocol can either be tcp, udp, sctp or dccp.
207 Optional attributes:
209 The destination of the forward. For local forwarding add to-port
210 only. For remote forwarding add to-addr and use to-port optionally
211 if the destination port on the destination machine should be
212 different.
213 to-port="portid[-portid]"
215 The destination port or port range to forward to. If omitted,
216 the value of the port= attribute will be used altogether with
217 the to-addr attribute.
218 to-addr="address"
220 The destination IP address either for IPv4 or IPv6.
221 source-port
223 Is an optional empty-element tag and can be used several times to have
224 more than one source port entry. All attributes of a source port entry
225 are mandatory:
226 port="portid[-portid]"
228 The port can either be a single port number portid or a port range
229 portid-portid.
230 protocol="tcp|udp|sctp|dccp"
232 The protocol can either be tcp, udp, sctp or dccp.
233 rule
235 Is an optional element tag and can be used several times to have more
236 than one rich language rule entry.
237 The general rule structure:
239 <rule [family="ipv4|ipv6"]>
241 [ <source address="address[/mask]" [invert="True"]/> ]
242 [ <destination address="address[/mask]" [invert="True"]/> ]
243 [
244 <service name="string"/> |
245 <port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> |
246 <protocol value="protocol"/> |
247 <icmp-block name="icmptype"/> |
248 <icmp-type name="icmptype"/> |
249 <masquerade/> |
250 <forward-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp" [to-port="portid[-portid]"] [to-addr="address"]/> |
251 <source-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> |
252 ]
253 [ <log [prefix="prefixtext"] [level="emerg|alert|crit|err|warn|notice|info|debug"]/> [<limit value="rate/duration"/>] </log> ]
254 [ <audit> [<limit value="rate/duration"/>] </audit> ]
255 [
256 <accept> [<limit value="rate/duration"/>] </accept> |
257 <reject [type="rejecttype"]> [<limit value="rate/duration"/>] </reject> |
258 <drop> [<limit value="rate/duration"/>] </drop> |
259 <mark set="mark[/mask]"> [<limit value="rate/duration"/>] </mark>
260 ]
261 </rule>
262 Rule structure for source black or white listing:
265 <rule [family="ipv4|ipv6"]>
267 <source address="address[/mask]" [invert="True"]/>
268 [ <log [prefix="prefixtext"] [level="emerg|alert|crit|err|warn|notice|info|debug"]/> [<limit value="rate/duration"/>] </log> ]
269 [ <audit> [<limit value="rate/duration"/>] </audit> ]
270 <accept> [<limit value="rate/duration"/>] </accept> |
271 <reject [type="rejecttype"]> [<limit value="rate/duration"/>] </reject> |
272 <drop> [<limit value="rate/duration"/>] </drop>
273 </rule>
274 For a full description on rich language rules, please have a look at
277 firewalld.richlanguage(5).
278
280 firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1),
281 firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5),
282 firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-
283 offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5),
284 firewalld.zone(5), firewalld.zones(5), firewalld.policy(5),
285 firewalld.policies(5), firewalld.ipset(5), firewalld.helper(5)
286
288 firewalld home page:
289 http://firewalld.org
290 More documentation with examples:
292 http://fedoraproject.org/wiki/FirewallD
293
295 Thomas Woerner <twoerner@redhat.com>
296 Developer
297 Jiri Popelka <jpopelka@redhat.com>
299 Developer
300 Eric Garver <eric@garver.life>
302 Developer
303firewalld 1.0.1 FIREWALLD.ZONE(5)