The firewalld segregates incoming traffic into zones. Each zone is a collection of rules. To select which zone is to be used for an incoming connection, firewalld uses the following three rules to match in the given order:
- The source address on the incoming packet is matched with the source address rule configured for the zone. If the source address matches, the packet is routed through that zone.
- If the source address does not match, then the incoming interface for a packet is matched with the interface set up for the zone and that zone is used.
- If neither the incoming interface of the packet nor the source address of a packet matches, then the rules given in the default zone are applied on that packet. The default zone is one of the other zones defined by the system or user. By default, the public zone is set as the default zone. The example of firewall-cmd to list the available zones and default zone is shown in the following screenshot:
The following table lists the predefined zones available in firewalld and their descriptions:
|
Zone |
Description |
|
trusted |
Allows all incoming traffic. |
|
home |
This zone is used for home networks. In this zone, incoming traffic is rejected unless it is related to outgoing traffic or it matches the predefined services of zone, such as ssh, mdns, ipp-client, samba-client, or dhcpv6-client. |
|
internal |
This zone has the same rules as defined in the home zone. It is generally used for internal networks. |
|
work |
In this zone, all incoming traffic is rejected, unless it is related to outgoing traffic or it matches some predefined services of the zone, such as, ssh, mdns, ipp-client, or dhcpv6-client: |
|
public |
In this zone, all incoming traffic is rejected, unless it is related to outgoing traffic or it matches some predefined services of the zone, such as ssh or dhcpv6-client. |
|
external |
In this zone, all incoming traffic is rejected, unless it is related to outgoing traffic or it matches some predefined services of zone, such as ssh. Outgoing IPv4 traffic forwarded from this zone is masqueraded (NAT) to make it originate from the outgoing network interface. |
|
dmz |
dmz is the demilitarized zone. Only selected incoming connections with limited access to the internal network are allowed. All other traffic is rejected. |
|
block |
Reject all incoming traffic with an icmp-host-prohibited message. Only incoming traffic related to connections originating from the outgoing traffic of the system is allowed. |
|
drop |
In this zone, all incoming traffic is dropped (without any ICMP errors) unless it is related to outgoing traffic. |