Configuring Zones in firewalld

Introduction

firewalld is a dynamic firewall daemon that provides a network/firewall zone abstraction for managing network connections and interfaces. Unlike traditional iptables configurations, firewalld uses zones to define trust levels for network connections, interfaces, and sources. This approach allows for more flexible and manageable firewall configurations, especially in environments where network conditions change frequently.

Zones in firewalld represent different trust levels for network connections. Each zone has a predefined set of rules that determine what traffic is allowed or blocked. Understanding and properly configuring zones is crucial for effective network security management using firewalld.

Understanding firewalld Zones

What are Zones

Zones in firewalld are predefined rule sets that define the trust level of network connections. Each zone contains rules for services, ports, protocols, and other firewall settings. When a connection, interface, or source is assigned to a zone, it inherits all the rules defined for that zone.

Zone Characteristics

Each zone in firewalld has specific characteristics that define its behavior:

- Trust Level: Determines how restrictive the zone is - Default Services: Predefined services that are allowed - Target: Defines the default action for packets not matching any rule - Interface Binding: Which network interfaces are assigned to the zone - Source Binding: Which IP addresses or networks are assigned to the zone

Default Zones in firewalld

firewalld comes with several predefined zones, each designed for specific use cases:

| Zone Name | Trust Level | Default Target | Description | Typical Use Case | |-----------|-------------|----------------|-------------|------------------| | drop | Minimal | DROP | All incoming connections dropped without reply | High-security environments | | block | Minimal | REJECT | All incoming connections rejected with icmp-host-prohibited | Secure networks with explicit rejection | | public | Low | default | For use in public areas, only selected incoming connections accepted | Default zone for most systems | | external | Low | default | For use on external networks with masquerading enabled | Router/gateway configurations | | dmz | Low | default | For computers in DMZ with limited access to internal network | DMZ servers and services | | work | Medium | default | For use in work areas, trust most computers in network | Office environments | | home | Medium | default | For use in home areas, trust most computers in network | Home networks | | internal | High | default | For use on internal networks when you trust other computers | Internal corporate networks | | trusted | Maximum | ACCEPT | All network connections accepted | Fully trusted environments |

Zone Configuration Commands

Basic Zone Management

#### Listing Zones

`bash

List all available zones

List active zones (zones with assigned interfaces or sources)

Get default zone

List all zones with their configurations

#### Setting Default Zone

`bash

Set default zone temporarily

The default zone change is automatically permanent

#### Zone Information

`bash

Get information about a specific zone

List services in a zone

List ports in a zone

List interfaces assigned to a zone

List sources assigned to a zone

Creating Custom Zones

#### Creating a New Zone

`bash

Create a new custom zone

Reload firewall to apply changes

Verify zone creation

#### Deleting a Zone

`bash

Delete a custom zone (must be permanent)

Reload firewall

Assigning Interfaces and Sources to Zones

#### Interface Assignment

`bash

Assign interface to zone temporarily

Assign interface to zone permanently

Remove interface from zone

Change interface zone

#### Source Assignment

`bash

Add source IP/network to zone

Add source network to zone permanently

Remove source from zone

Change source zone

Configuring Zone Rules

Adding Services to Zones

#### Service Management

`bash

Add service to zone temporarily

Add service permanently

Remove service from zone

Add multiple services

Adding Ports to Zones

#### Port Management

`bash

Add single port

Add port permanently

Add port range

Add UDP port

Remove port

Rich Rules in Zones

Rich rules provide more granular control over firewall rules within zones:

`bash

Allow specific IP to specific port

Block specific IP

Allow service for specific subnet

Rate limiting

Advanced Zone Configuration

Zone Targets

Zone targets define the default action for packets that don't match any specific rule:

`bash

Set zone target to DROP

Set zone target to ACCEPT

Set zone target to REJECT

Reset to default target

Zone Target Options

| Target | Description | Behavior | |--------|-------------|----------| | default | Use system default | Typically REJECT with exceptions for allowed services | | ACCEPT | Accept all packets | All traffic allowed unless explicitly blocked | | REJECT | Reject packets | Send rejection message back to sender | | DROP | Drop packets | Silently discard packets |

Masquerading in Zones

Masquerading allows the firewall to act as a router by modifying source addresses:

`bash

Enable masquerading in zone

Enable masquerading permanently

Disable masquerading

Check masquerading status

Port Forwarding in Zones

`bash

Forward port 80 to 8080

Forward to different host

Remove port forwarding

Practical Zone Configuration Examples

Example 1: Web Server Configuration

Setting up a zone for a web server that needs to serve HTTP and HTTPS traffic:

`bash

Create custom web server zone

Set description

Add HTTP and HTTPS services

Add SSH for administration

Add custom application port

Assign interface to zone

Reload configuration

Verify configuration

Example 2: Database Server Zone

Creating a zone for a database server accessible only from application servers:

`bash

Create database zone

Add SSH for administration

Add MySQL port

Allow only application servers subnet

Set restrictive target

Reload and verify

Example 3: DMZ Configuration

Setting up a DMZ zone for publicly accessible services:

`bash

Configure DMZ zone (already exists)

Add web services

Add mail services

Add DNS

Add SSH with rate limiting using rich rules

Assign DMZ interface

Reload configuration

Zone Priority and Rule Processing

Understanding Zone Priority

When multiple zones could match a connection, firewalld uses the following priority order:

1. Source-based zones: Zones assigned to specific IP addresses or networks 2. Interface-based zones: Zones assigned to specific network interfaces 3. Default zone: The system's default zone

Rule Processing Order

Within a zone, rules are processed in this order:

1. Rich rules (processed in the order they were added) 2. Services 3. Ports 4. Protocols 5. Source ports 6. Masquerading 7. Port forwarding 8. ICMP blocks 9. Target action

Troubleshooting Zone Configuration

Common Issues and Solutions

#### Zone Assignment Problems

`bash

Check which zone an interface belongs to

Check which zone a source belongs to

List all active zones and their assignments

#### Service and Port Issues

`bash

Verify service is available

Check if port is open in zone

Check if service is enabled in zone

#### Testing Zone Configuration

`bash

Test from another system

Use nmap to scan ports

Check firewall logs

Enable logging for denied packets

Debugging Commands

`bash

Get detailed zone information

Check firewall state

Reload firewall (keeps runtime changes)

Complete restart (loses runtime changes)

Check for configuration errors

Best Practices for Zone Configuration

Security Considerations

1. Principle of Least Privilege: Only open ports and services that are absolutely necessary 2. Use Specific Zones: Create custom zones for specific purposes rather than modifying default zones 3. Regular Auditing: Regularly review zone configurations and remove unused rules 4. Source-based Rules: Use source-based zone assignments for better security control

Configuration Management

1. Always Use Permanent Rules: Use the --permanent flag for production configurations 2. Document Changes: Keep track of why specific rules were added 3. Test Before Deployment: Test zone configurations in a non-production environment 4. Backup Configurations: Regularly backup firewalld configurations

Performance Optimization

1. Minimize Rich Rules: Use services and ports instead of rich rules when possible 2. Order Rich Rules: Place most frequently matched rules first 3. Use Appropriate Targets: Set appropriate zone targets to minimize rule processing

Configuration File Locations

firewalld zone configurations are stored in XML files:

System Zones

Custom Zones

Zone File Structure

Example zone file (/etc/firewalld/zones/custom-web.xml):

`xml Custom Web Custom zone for web servers `

Monitoring and Logging

Enable Logging

`bash

Enable logging for denied packets

Log only unicast packets

Disable logging

View Logs

`bash

View firewalld logs

Follow logs in real-time

View kernel messages for dropped packets

Check system logs for firewall messages

This comprehensive guide covers all aspects of configuring zones in firewalld, from basic concepts to advanced configurations and troubleshooting. Understanding these concepts and commands will enable you to effectively manage network security using firewalld's zone-based approach.