1FIREWALLD.ZONE(5) firewalld.zone FIREWALLD.ZONE(5)
2
6 firewalld.zone - firewalld zone configuration files
7
9 /etc/firewalld/zones/zone.xml
10 /usr/lib/firewalld/zones/zone.xml
12
14 A firewalld zone configuration file contains the information for a
15 zone. These are the zone description, services, ports, protocols,
16 icmp-blocks, masquerade, forward-ports, intra-zone forwarding and rich
17 language rules in an XML file format. The file name has to be
18 zone_name.xml where length of zone_name is currently limited to 17
19 chars.
20 This is the structure of a zone configuration file:
22 <?xml version="1.0" encoding="utf-8"?>
24 <zone [version="versionstring"] [target="ACCEPT|%%REJECT%%|DROP"] [ingress-priority="priority"] [egress-priority="priority"]>
25 [ <interface name="string"/> ]
26 [ <source address="address[/mask]"|mac="MAC"|ipset="ipset"/> ]
27 [ <icmp-block-inversion/> ]
28 [ <forward/> ]
29 [ <short>short description</short> ]
35 [ <description>description</description> ]
36 [ <service name="string"/> ]
37 [ <port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> ]
38 [ <protocol value="protocol"/> ]
39 [ <icmp-block name="string"/> ]
40 [ <masquerade/> ]
41 [ <forward-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp" [to-port="portid[-portid]"] [to-addr="IP address"]/> ]
42 [ <source-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> ]
43 [
44 <rule [family="ipv4|ipv6"] [priority="priority"]>
45 [ <source address="address[/mask]"|mac="MAC"|ipset="ipset" [invert="True"]/> ]
46 [ <destination address="address[/mask]"|ipset="ipset" [invert="True"]/> ]
47 [
48 <service name="string"/> |
49 <port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> |
50 <protocol value="protocol"/> |
51 <icmp-block name="icmptype"/> |
52 <icmp-type name="icmptype"/> |
53 <masquerade/> |
54 <forward-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp" [to-port="portid[-portid]"] [to-addr="address"]/>
55 ]
56 [
57 <log [prefix="prefix text"] [level="emerg|alert|crit|err|warn|notice|info|debug"]> [<limit value="rate/duration"/>] </log> |
58 <nflog [group="group id"] [prefix="prefix text"] [queue-size="threshold"]> [<limit value="rate/duration"/>] </nflog>
59 ]
60 [ <audit> [<limit value="rate/duration"/>] </audit> ]
61 [
62 <accept> [<limit value="rate/duration"/>] </accept> |
63 <reject [type="rejecttype"]> [<limit value="rate/duration"/>] </reject> |
64 <drop> [<limit value="rate/duration"/>] </drop> |
65 <mark set="mark[/mask]"> [<limit value="rate/duration"/>] </mark>
66 ]
67 </rule>
68 ]
69 </zone>
72 The config can contain these tags and attributes. Some of them are
75 mandatory, others optional.
76 zone
78 The mandatory zone start and end tag defines the zone. This tag can
79 only be used once in a zone configuration file. There are optional
80 attributes for zones:
81 version="string"
83 To give the zone a version.
84 target="ACCEPT|%%REJECT%%|DROP"
86 Can be used to accept, reject or drop every packet that doesn't
87 match any rule (port, service, etc.). The ACCEPT target is used in
88 trusted zone to accept every packet not matching any rule. The
89 %%REJECT%% target is used in block zone to reject (with default
90 firewalld reject type) every packet not matching any rule. The DROP
91 target is used in drop zone to drop every packet not matching any
92 rule. If the target is not specified, every packet not matching any
93 rule will be rejected.
94 ingress-priority="priority"
96 Ingress priority for classifying traffic into a zone. A zone with a
97 lower priority value will be considered before a zone with a higher
98 priority value. This allows custom ordering of zone dispatch.
99 egress-priority="priority"
101 Same as ingress-priority, but for egress classification.
102 interface
104 Is an optional empty-element tag and can be used several times. It can
105 be used to bind an interface to a zone. You don't need this for
106 NetworkManager-managed interfaces, because NetworkManager binds
107 interfaces to zones automatically. See also 'How to set or change a
108 zone for a connection?' in firewalld.zones(5). You can use it as a
109 fallback mechanism for interfaces that can't be managed via
110 NetworkManager. An interface entry has exactly one attribute:
111 name="string"
113 The name of the interface to be bound to the zone.
114 source
116 Is an optional empty-element tag and can be used several times. It can
117 be used to bind a source address, address range, a MAC address or an
118 ipset to a zone. A source entry has exactly one of these attributes:
119 address="address[/mask]"
121 The source is either an IP address or a network IP address with a
122 mask for IPv4 or IPv6. The network family (IPv4/IPv6) will be
123 automatically discovered. For IPv4, the mask can be a network mask
124 or a plain number. For IPv6 the mask is a plain number. The use of
125 host names is not supported.
126 mac="MAC"
128 The source is a MAC address. It must be of the form
129 XX:XX:XX:XX:XX:XX.
130 ipset="ipset"
132 The source is an ipset.
133 icmp-block-inversion
135 Is an optional empty-element tag and can be used only once in a zone
136 configuration. This flag inverts the icmp block handling. Only enabled
137 ICMP types are accepted and all others are rejected in the zone.
138 forward
140 Is an optional empty-element tag and can be used only once in a zone
141 configuration. This flag enables intra-zone forwarding. When enabled,
142 packets will be forwarded between interfaces or sources within a zone,
143 even if the zone's target is not set to ACCEPT.
144 short
146 Is an optional start and end tag and is used to give a more readable
147 name.
148 description
150 Is an optional start and end tag to have a description.
151 service
153 Is an optional empty-element tag and can be used several times to have
154 more than one service entry enabled. A service entry has exactly one
155 attribute:
156 name="string"
158 The name of the service to be enabled. To get a list of valid
159 service names firewall-cmd --get-services can be used.
160 port
162 Is an optional empty-element tag and can be used several times to have
163 more than one port entry. All attributes of a port entry are mandatory:
164 port="portid[-portid]"
166 The port can either be a single port number portid or a port range
167 portid-portid.
168 protocol="tcp|udp|sctp|dccp"
170 The protocol can either be tcp, udp, sctp or dccp.
171 protocol
173 Is an optional empty-element tag and can be used several times to have
174 more than one protocol entry. All protocol has exactly one attribute:
175 value="string"
177 The protocol can be any protocol supported by the system. Please
178 have a look at /etc/protocols for supported protocols.
179 icmp-block
181 Is an optional empty-element tag and can be used several times to have
182 more than one icmp-block entry. Each icmp-block tag has exactly one
183 mandatory attribute:
184 name="string"
186 The name of the Internet Control Message Protocol (ICMP) type to be
187 blocked. To get a list of valid ICMP types firewall-cmd
188 --get-icmptypes can be used.
189 masquerade
191 Is an optional empty-element tag. It can be used only once. If it's
192 present masquerading is enabled.
193 forward-port
195 Is an optional empty-element tag and can be used several times to have
196 more than one port or packet forward entry. There are mandatory and
197 also optional attributes for forward ports:
198 Mandatory attributes:
200 The local port and protocol to be forwarded.
201 port="portid[-portid]"
203 The port can either be a single port number portid or a port
204 range portid-portid.
205 protocol="tcp|udp|sctp|dccp"
207 The protocol can either be tcp, udp, sctp or dccp.
208 Optional attributes:
210 The destination of the forward. For local forwarding add to-port
211 only. For remote forwarding add to-addr and use to-port optionally
212 if the destination port on the destination machine should be
213 different.
214 to-port="portid[-portid]"
216 The destination port or port range to forward to. If omitted,
217 the value of the port= attribute will be used altogether with
218 the to-addr attribute.
219 to-addr="address"
221 The destination IP address either for IPv4 or IPv6.
222 source-port
224 Is an optional empty-element tag and can be used several times to have
225 more than one source port entry. All attributes of a source port entry
226 are mandatory:
227 port="portid[-portid]"
229 The port can either be a single port number portid or a port range
230 portid-portid.
231 protocol="tcp|udp|sctp|dccp"
233 The protocol can either be tcp, udp, sctp or dccp.
234 rule
236 Is an optional element tag and can be used several times to have more
237 than one rich language rule entry.
238 The general rule structure:
240 <rule [family="ipv4|ipv6"] [priority="priority"]>
242 [ <source address="address[/mask]"|mac="MAC"|ipset="ipset" [invert="True"]/> ]
243 [ <destination address="address[/mask]"|ipset="ipset" [invert="True"]/> ]
244 [
245 <service name="string"/> |
246 <port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> |
247 <protocol value="protocol"/> |
248 <icmp-block name="icmptype"/> |
249 <icmp-type name="icmptype"/> |
250 <masquerade/> |
251 <forward-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp" [to-port="portid[-portid]"] [to-addr="address"]/> |
252 <source-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> |
253 ]
254 [
255 <log [prefix="prefix text"] [level="emerg|alert|crit|err|warn|notice|info|debug"]> [<limit value="rate/duration"/>] </log> |
256 <nflog [group="group id"] [prefix="prefix text"] [queue-size="threshold"]> [<limit value="rate/duration"/>] </nflog>
257 ]
258 [ <audit> [<limit value="rate/duration"/>] </audit> ]
259 [
260 <accept> [<limit value="rate/duration"/>] </accept> |
261 <reject [type="rejecttype"]> [<limit value="rate/duration"/>] </reject> |
262 <drop> [<limit value="rate/duration"/>] </drop> |
263 <mark set="mark[/mask]"> [<limit value="rate/duration"/>] </mark>
264 ]
265 </rule>
266 Rule structure for source black or white listing:
269 <rule [family="ipv4|ipv6"] [priority="priority"]>
271 <source address="address[/mask]"|mac="MAC"|ipset="ipset" [invert="True"]/>
272 [
273 <log [prefix="prefix text"] [level="emerg|alert|crit|err|warn|notice|info|debug"]> [<limit value="rate/duration"/>] </log> |
274 <nflog [group="group id"] [prefix="prefix text"] [queue-size="threshold"]> [<limit value="rate/duration"/>] </nflog>
275 ]
276 [ <audit> [<limit value="rate/duration"/>] </audit> ]
277 <accept> [<limit value="rate/duration"/>] </accept> |
278 <reject [type="rejecttype"]> [<limit value="rate/duration"/>] </reject> |
279 <drop> [<limit value="rate/duration"/>] </drop>
280 </rule>
281 For a full description on rich language rules, please have a look at
284 firewalld.richlanguage(5).
285
287 firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1),
288 firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5),
289 firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-
290 offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5),
291 firewalld.zone(5), firewalld.zones(5), firewalld.policy(5),
292 firewalld.policies(5), firewalld.ipset(5), firewalld.helper(5)
293
295 firewalld home page:
296 http://firewalld.org
297 More documentation with examples:
299 http://fedoraproject.org/wiki/FirewallD
300
302 Thomas Woerner <twoerner@redhat.com>
303 Developer
304 Jiri Popelka <jpopelka@redhat.com>
306 Developer
307 Eric Garver <eric@garver.life>
309 Developer
310firewalld 2.0.2 FIREWALLD.ZONE(5)