1FIREWALLD.POLICIES(5)         firewalld.policies         FIREWALLD.POLICIES(5)
2
3
4

NAME

6       firewalld.policies - firewalld policies
7

DESCRIPTION

9   What is a policy?
10       A policy applies a set of rules to traffic flowing between between
11       zones (see zones (see firewalld.zones(5)). The policy affects traffic
12       in a stateful unidirectional manner, e.g. zoneA to zoneB. This allows
13       asynchronous filtering policies.
14
15       A policy's relationship to zones is defined by assigning a set of
16       ingress zones and a set of egress zones. For example, if the set of
17       ingress zones contains "public" and the set of egress zones contains
18       "internal" then the policy will affect all traffic flowing from the
19       "public" zone to the "internal" zone. However, since policies are
20       unidirectional it will not apply to traffic flowing from "internal" to
21       "public". Note that the ingress set and egress set can contain multiple
22       zones.
23
24   Active Policies
25       Policies only become active if all of the following are true.
26
27       •   The ingress zones list contain at least one regular zone or a
28           single symbolic zone.
29
30       •   The egress zones list contain at least one regular zone or a single
31           symbolic zone.
32
33       •   For non symbolic zones, the zone must be active. That is, it must
34           have interfaces or sources assigned to it.
35
36       If the policy is not active then the policy has no effect.
37
38   Symbolic Zones
39       Regular zones are not enough to express every form of packet filtering.
40       For example there is no zone to represent traffic flowing to or from
41       the host running firewalld. As such, there are some symbolic zones to
42       fill these gaps. However, symbolic zones are unique in that they're the
43       only zone allowed in the ingress or egress zone sets. For example, you
44       cannot use "public" and "HOST" in the ingress zones.
45
46       Symbolic zones:
47
48        1. HOST
49
50           This symbolic zone is for traffic flowing to or from the host
51           running firewalld. This corresponds to netfilter
52           (iptables/nftables) chains INPUT and OUTPUT.
53
54           •   If used in the egress zones list it will apply to traffic on
55               the INPUT chain.
56
57           •   If used in the ingress zones list it will apply to traffic on
58               the OUTPUT chain.
59
60        2. ANY
61
62           This symbolic zone behaves like a wildcard for the ingress and
63           egress zones. With the exception that it does not include "HOST".
64           It's useful if you want a policy to apply to every zone.
65
66           •   If used in the ingress zones list it will apply for traffic
67               originating from any zone.
68
69           •   If used in the egress zones list it will apply for traffic
70               destined to any zone.
71
72   Predefined Policies
73       firewalld ships with some predefined policies. These may or may not be
74       active by default. For details see the description of each policy.
75
76       •   allow-host-ipv6
77
78   Similarity to Zones
79       Policies are similar to zones in that they are an attachment point for
80       firewalld's primitives: services, ports, forward ports, etc. This is
81       not a coincidence. Policies are a generalization of how zones have
82       traditionally achieved filtering. In fact, in modern firewalld zones
83       are internally implemented as a set of policies.
84
85       The main difference between policies and zones is that policies allow
86       filtering in all directions: input, output, and forwarding. With a
87       couple of exceptions zones only allow input filtering which is
88       sufficient for an end station firewalling. However, for network level
89       filtering or filtering on behalf of virtual machines and containers
90       something more flexible, i.e. policies, are needed.
91

SEE ALSO

93       firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1),
94       firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5),
95       firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-
96       offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5),
97       firewalld.zone(5), firewalld.zones(5), firewalld.policy(5),
98       firewalld.policies(5), firewalld.ipset(5), firewalld.helper(5)
99

NOTES

101       firewalld home page:
102           http://firewalld.org
103
104       More documentation with examples:
105           http://fedoraproject.org/wiki/FirewallD
106

AUTHORS

108       Thomas Woerner <twoerner@redhat.com>
109           Developer
110
111       Jiri Popelka <jpopelka@redhat.com>
112           Developer
113
114       Eric Garver <eric@garver.life>
115           Developer
116
117
118
119firewalld 2.0.2                                          FIREWALLD.POLICIES(5)
Impressum