1FIREWALLD.ZONE(5) firewalld.zone FIREWALLD.ZONE(5)
2
3
4
6 firewalld.zone - firewalld zone configuration files
7
9 /etc/firewalld/zones/zone.xml
10
11 /usr/lib/firewalld/zones/zone.xml
12
14 A firewalld zone configuration file contains the information for a
15 zone. These are the zone description, services, ports, protocols,
16 icmp-blocks, masquerade, forward-ports, intra-zone forwarding and rich
17 language rules in an XML file format. The file name has to be
18 zone_name.xml where length of zone_name is currently limited to 17
19 chars.
20
21 This is the structure of a zone configuration file:
22
23 <?xml version="1.0" encoding="utf-8"?>
24 <zone [version="versionstring"] [target="ACCEPT|%%REJECT%%|DROP"] [ingress-priority="priority"] [egress-priority="priority"]>
25 [ <interface name="string"/> ]
26 [ <source address="address[/mask]"|mac="MAC"|ipset="ipset"/> ]
27 [ <icmp-block-inversion/> ]
28 [ <forward/> ]
29
30
31
32
33
34 [ <short>short description</short> ]
35 [ <description>description</description> ]
36 [ <service name="string"/> ]
37 [ <port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> ]
38 [ <protocol value="protocol"/> ]
39 [ <icmp-block name="string"/> ]
40 [ <masquerade/> ]
41 [ <forward-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp" [to-port="portid[-portid]"] [to-addr="IP address"]/> ]
42 [ <source-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> ]
43 [
44 <rule [family="ipv4|ipv6"] [priority="priority"]>
45 [ <source address="address[/mask]"|mac="MAC"|ipset="ipset" [invert="True"]/> ]
46 [ <destination address="address[/mask]"|ipset="ipset" [invert="True"]/> ]
47 [
48 <service name="string"/> |
49 <port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> |
50 <protocol value="protocol"/> |
51 <icmp-block name="icmptype"/> |
52 <icmp-type name="icmptype"/> |
53 <masquerade/> |
54 <forward-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp" [to-port="portid[-portid]"] [to-addr="address"]/>
55 ]
56 [
57 <log [prefix="prefix text"] [level="emerg|alert|crit|err|warn|notice|info|debug"]> [<limit value="rate/duration"/>] </log> |
58 <nflog [group="group id"] [prefix="prefix text"] [queue-size="threshold"]> [<limit value="rate/duration"/>] </nflog>
59 ]
60 [ <audit> [<limit value="rate/duration"/>] </audit> ]
61 [
62 <accept> [<limit value="rate/duration"/>] </accept> |
63 <reject [type="rejecttype"]> [<limit value="rate/duration"/>] </reject> |
64 <drop> [<limit value="rate/duration"/>] </drop> |
65 <mark set="mark[/mask]"> [<limit value="rate/duration"/>] </mark>
66 ]
67 </rule>
68 ]
69
70
71 </zone>
72
73
74 The config can contain these tags and attributes. Some of them are
75 mandatory, others optional.
76
77 zone
78 The mandatory zone start and end tag defines the zone. This tag can
79 only be used once in a zone configuration file. There are optional
80 attributes for zones:
81
82 version="string"
83 To give the zone a version.
84
85 target="ACCEPT|%%REJECT%%|DROP"
86 Can be used to accept, reject or drop every packet that doesn't
87 match any rule (port, service, etc.). The ACCEPT target is used in
88 trusted zone to accept every packet not matching any rule. The
89 %%REJECT%% target is used in block zone to reject (with default
90 firewalld reject type) every packet not matching any rule. The DROP
91 target is used in drop zone to drop every packet not matching any
92 rule. If the target is not specified, every packet not matching any
93 rule will be rejected.
94
95 ingress-priority="priority"
96 Ingress priority for classifying traffic into a zone. A zone with a
97 lower priority value will be considered before a zone with a higher
98 priority value. This allows custom ordering of zone dispatch.
99
100 egress-priority="priority"
101 Same as ingress-priority, but for egress classification.
102
103 interface
104 Is an optional empty-element tag and can be used several times. It can
105 be used to bind an interface to a zone. You don't need this for
106 NetworkManager-managed interfaces, because NetworkManager binds
107 interfaces to zones automatically. See also 'How to set or change a
108 zone for a connection?' in firewalld.zones(5). You can use it as a
109 fallback mechanism for interfaces that can't be managed via
110 NetworkManager. An interface entry has exactly one attribute:
111
112 name="string"
113 The name of the interface to be bound to the zone.
114
115 source
116 Is an optional empty-element tag and can be used several times. It can
117 be used to bind a source address, address range, a MAC address or an
118 ipset to a zone. A source entry has exactly one of these attributes:
119
120 address="address[/mask]"
121 The source is either an IP address or a network IP address with a
122 mask for IPv4 or IPv6. The network family (IPv4/IPv6) will be
123 automatically discovered. For IPv4, the mask can be a network mask
124 or a plain number. For IPv6 the mask is a plain number. The use of
125 host names is not supported.
126
127 mac="MAC"
128 The source is a MAC address. It must be of the form
129 XX:XX:XX:XX:XX:XX.
130
131 ipset="ipset"
132 The source is an ipset.
133
134 icmp-block-inversion
135 Is an optional empty-element tag and can be used only once in a zone
136 configuration. This flag inverts the icmp block handling. Only enabled
137 ICMP types are accepted and all others are rejected in the zone.
138
139 forward
140 Is an optional empty-element tag and can be used only once in a zone
141 configuration. This flag enables intra-zone forwarding. When enabled,
142 packets will be forwarded between interfaces or sources within a zone,
143 even if the zone's target is not set to ACCEPT.
144
145 short
146 Is an optional start and end tag and is used to give a more readable
147 name.
148
149 description
150 Is an optional start and end tag to have a description.
151
152 service
153 Is an optional empty-element tag and can be used several times to have
154 more than one service entry enabled. A service entry has exactly one
155 attribute:
156
157 name="string"
158 The name of the service to be enabled. To get a list of valid
159 service names firewall-cmd --get-services can be used.
160
161 port
162 Is an optional empty-element tag and can be used several times to have
163 more than one port entry. All attributes of a port entry are mandatory:
164
165 port="portid[-portid]"
166 The port can either be a single port number portid or a port range
167 portid-portid.
168
169 protocol="tcp|udp|sctp|dccp"
170 The protocol can either be tcp, udp, sctp or dccp.
171
172 protocol
173 Is an optional empty-element tag and can be used several times to have
174 more than one protocol entry. All protocol has exactly one attribute:
175
176 value="string"
177 The protocol can be any protocol supported by the system. Please
178 have a look at /etc/protocols for supported protocols.
179
180 icmp-block
181 Is an optional empty-element tag and can be used several times to have
182 more than one icmp-block entry. Each icmp-block tag has exactly one
183 mandatory attribute:
184
185 name="string"
186 The name of the Internet Control Message Protocol (ICMP) type to be
187 blocked. To get a list of valid ICMP types firewall-cmd
188 --get-icmptypes can be used.
189
190 masquerade
191 Is an optional empty-element tag. It can be used only once. If it's
192 present masquerading is enabled.
193
194 forward-port
195 Is an optional empty-element tag and can be used several times to have
196 more than one port or packet forward entry. There are mandatory and
197 also optional attributes for forward ports:
198
199 Mandatory attributes:
200 The local port and protocol to be forwarded.
201
202 port="portid[-portid]"
203 The port can either be a single port number portid or a port
204 range portid-portid.
205
206 protocol="tcp|udp|sctp|dccp"
207 The protocol can either be tcp, udp, sctp or dccp.
208
209 Optional attributes:
210 The destination of the forward. For local forwarding add to-port
211 only. For remote forwarding add to-addr and use to-port optionally
212 if the destination port on the destination machine should be
213 different.
214
215 to-port="portid[-portid]"
216 The destination port or port range to forward to. If omitted,
217 the value of the port= attribute will be used altogether with
218 the to-addr attribute.
219
220 to-addr="address"
221 The destination IP address either for IPv4 or IPv6.
222
223 source-port
224 Is an optional empty-element tag and can be used several times to have
225 more than one source port entry. All attributes of a source port entry
226 are mandatory:
227
228 port="portid[-portid]"
229 The port can either be a single port number portid or a port range
230 portid-portid.
231
232 protocol="tcp|udp|sctp|dccp"
233 The protocol can either be tcp, udp, sctp or dccp.
234
235 rule
236 Is an optional element tag and can be used several times to have more
237 than one rich language rule entry.
238
239 The general rule structure:
240
241 <rule [family="ipv4|ipv6"] [priority="priority"]>
242 [ <source address="address[/mask]"|mac="MAC"|ipset="ipset" [invert="True"]/> ]
243 [ <destination address="address[/mask]"|ipset="ipset" [invert="True"]/> ]
244 [
245 <service name="string"/> |
246 <port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> |
247 <protocol value="protocol"/> |
248 <icmp-block name="icmptype"/> |
249 <icmp-type name="icmptype"/> |
250 <masquerade/> |
251 <forward-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp" [to-port="portid[-portid]"] [to-addr="address"]/> |
252 <source-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> |
253 ]
254 [
255 <log [prefix="prefix text"] [level="emerg|alert|crit|err|warn|notice|info|debug"]> [<limit value="rate/duration"/>] </log> |
256 <nflog [group="group id"] [prefix="prefix text"] [queue-size="threshold"]> [<limit value="rate/duration"/>] </nflog>
257 ]
258 [ <audit> [<limit value="rate/duration"/>] </audit> ]
259 [
260 <accept> [<limit value="rate/duration"/>] </accept> |
261 <reject [type="rejecttype"]> [<limit value="rate/duration"/>] </reject> |
262 <drop> [<limit value="rate/duration"/>] </drop> |
263 <mark set="mark[/mask]"> [<limit value="rate/duration"/>] </mark>
264 ]
265 </rule>
266
267
268 Rule structure for source black or white listing:
269
270 <rule [family="ipv4|ipv6"] [priority="priority"]>
271 <source address="address[/mask]"|mac="MAC"|ipset="ipset" [invert="True"]/>
272 [
273 <log [prefix="prefix text"] [level="emerg|alert|crit|err|warn|notice|info|debug"]> [<limit value="rate/duration"/>] </log> |
274 <nflog [group="group id"] [prefix="prefix text"] [queue-size="threshold"]> [<limit value="rate/duration"/>] </nflog>
275 ]
276 [ <audit> [<limit value="rate/duration"/>] </audit> ]
277 <accept> [<limit value="rate/duration"/>] </accept> |
278 <reject [type="rejecttype"]> [<limit value="rate/duration"/>] </reject> |
279 <drop> [<limit value="rate/duration"/>] </drop>
280 </rule>
281
282
283 For a full description on rich language rules, please have a look at
284 firewalld.richlanguage(5).
285
287 firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1),
288 firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5),
289 firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-
290 offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5),
291 firewalld.zone(5), firewalld.zones(5), firewalld.policy(5),
292 firewalld.policies(5), firewalld.ipset(5), firewalld.helper(5)
293
295 firewalld home page:
296 http://firewalld.org
297
298 More documentation with examples:
299 http://fedoraproject.org/wiki/FirewallD
300
302 Thomas Woerner <twoerner@redhat.com>
303 Developer
304
305 Jiri Popelka <jpopelka@redhat.com>
306 Developer
307
308 Eric Garver <eric@garver.life>
309 Developer
310
311
312
313firewalld 2.0.2 FIREWALLD.ZONE(5)