1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
|
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[
<!ENTITY authors SYSTEM "authors.xml">
<!ENTITY seealso SYSTEM "seealso.xml">
<!ENTITY notes SYSTEM "notes.xml">
<!ENTITY policy_zone_syntax SYSTEM "policy_zone_syntax.xml">
<!ENTITY policy_zone_descriptions SYSTEM "policy_zone_descriptions.xml">
]>
<!--
SPDX-License-Identifier: GPL-2.0-or-later
This file is part of firewalld.
Copyright (C) 2010-2013 Red Hat, Inc.
Authors:
Thomas Woerner <twoerner@redhat.com>
-->
<refentry id="firewalld.zone">
<refentryinfo>
<title>firewalld.zone</title>
<productname>firewalld</productname>
&authors;
</refentryinfo>
<refmeta>
<refentrytitle>firewalld.zone</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>firewalld.zone</refname>
<refpurpose>firewalld zone configuration files</refpurpose>
</refnamediv>
<refsynopsisdiv>
<para>
<filename><config.sysconfdir/>/firewalld/zones/zone.xml</filename>
</para>
<para>
<filename><config.prefix/>/lib/firewalld/zones/zone.xml</filename>
</para>
</refsynopsisdiv>
<refsect1 id="description">
<title>Description</title>
<para>
A firewalld zone configuration file contains the information for a zone.
These are the zone description, services, ports, protocols, icmp-blocks, masquerade, forward-ports, intra-zone forwarding and rich language rules in an XML file format.
The file name has to be <replaceable>zone_name</replaceable>.xml where length of <replaceable>zone_name</replaceable> is currently limited to 17 chars.
</para>
<para>
This is the structure of a zone configuration file:
<programlisting>
<?xml version="1.0" encoding="utf-8"?>
<zone [version="<replaceable>versionstring</replaceable>"] [target="<literal>ACCEPT</literal>|<literal>%%REJECT%%</literal>|<literal>DROP</literal>"] [ingress-priority="<replaceable>priority</replaceable>"] [egress-priority="<replaceable>priority</replaceable>"]>
[ <interface name="<replaceable>string</replaceable>"/> ]
[ <source address="<replaceable>address</replaceable>[/<replaceable>mask</replaceable>]"|mac="<replaceable>MAC</replaceable>"|ipset="<replaceable>ipset</replaceable>"/> ]
[ <icmp-block-inversion/> ]
[ <forward/> ]
&policy_zone_syntax;
</zone>
</programlisting>
</para>
<para>
The config can contain these tags and attributes. Some of them are mandatory, others optional.
</para>
<refsect2 id="zone">
<title>zone</title>
<para>
The mandatory zone start and end tag defines the zone. This tag can only be used once in a zone configuration file. There are optional attributes for zones:
</para>
<variablelist>
<varlistentry>
<term>version="<replaceable>string</replaceable>"</term>
<listitem>
<para>
To give the zone a version.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>target="<literal>ACCEPT</literal>|<literal>%%REJECT%%</literal>|<literal>DROP</literal>"</term>
<listitem>
<para>
Can be used to accept, reject or drop every packet that doesn't
match any rule (port, service, etc.).
</para>
<para>
<literal>ACCEPT</literal>
is special: packets which are not addressed to the host
will be forwarded to their destination regardless of the
zone's
<xref linked="forward" endterm="forward.title"/>
setting, or any policies attached to the zone.
</para>
<para>
If unspecified, the default behavior applies: ICMP will be
accepted and everything else will be rejected.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ingress-priority="<replaceable>priority</replaceable>"</term>
<listitem>
<para>
Ingress priority for classifying traffic into a zone. A zone with
a lower priority value will be considered before a zone with a
higher priority value. This allows custom ordering of zone
dispatch.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>egress-priority="<replaceable>priority</replaceable>"</term>
<listitem>
<para>
Same as ingress-priority, but for egress classification.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect2>
<refsect2 id="interface">
<title>interface</title>
<para>
Is an optional empty-element tag and can be used several times. It can be used to bind an interface to a zone.
You don't need this for NetworkManager-managed interfaces, because NetworkManager binds interfaces to zones automatically.
See also 'How to set or change a zone for a connection?' in <citerefentry><refentrytitle>firewalld.zones</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
You can use it as a fallback mechanism for interfaces that can't be managed via NetworkManager.
An interface entry has exactly one attribute:
</para>
<variablelist>
<varlistentry>
<term>name="<replaceable>string</replaceable>"</term>
<listitem>
<para>
The name of the interface to be bound to the zone.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect2>
<refsect2 id="source">
<title>source</title>
<para>
Is an optional empty-element tag and can be used several times. It can be used to bind a source address, address range, a MAC address or an ipset to a zone. A source entry has exactly one of these attributes:
</para>
<variablelist>
<varlistentry>
<term>address="<replaceable>address</replaceable><optional>/<replaceable>mask</replaceable></optional>"</term>
<listitem>
<para>
The source is either an IP address or a network IP address with a mask for IPv4 or IPv6. The network family (IPv4/IPv6) will be automatically discovered. For IPv4, the mask can be a network mask or a plain number. For IPv6 the mask is a plain number. The use of host names is not supported.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>mac="<replaceable>MAC</replaceable>"</term>
<listitem>
<para>
The source is a MAC address. It must be of the form XX:XX:XX:XX:XX:XX.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ipset="<replaceable>ipset</replaceable>"</term>
<listitem>
<para>
The source is an ipset.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect2>
<refsect2 id="icmp-block-inversion">
<title>icmp-block-inversion</title>
<para>
Is an optional empty-element tag and can be used only once in a zone configuration. This flag inverts the icmp block handling. Only enabled ICMP types are accepted and all others are rejected in the zone.
</para>
</refsect2>
<refsect2 id="forward">
<title id="forward.title">forward</title>
<para>
Is an optional empty-element tag and can be used only once in a zone configuration. This flag enables intra-zone forwarding. When enabled, packets will be forwarded between interfaces or sources within a zone, even if the zone's target is not set to <literal>ACCEPT</literal>.
</para>
</refsect2>
&policy_zone_descriptions;
</refsect1>
&seealso;
¬es;
</refentry>
|
