Introduction to Linux firewalld zones and rules

In my previous article, "Beginner's guide to firewalld in Linux," we explored the basics of creating allow and deny lists for both services and ports inside of existing zones. If this doesn't sound familiar, I recommend that you check out that previous piece. However, if you are up to speed with firewalld, zone-based firewalls, and service/port-based rules, then you are in the right place. In this article, we look at three slightly more advanced features of firewalld and how to configure each. Let's get into it.

Create custom zones

As discussed previously, zone-based firewalls need zones to operate. The goal is to have different security measures for particular zones of the network. Let us assume that we need to create a new zone called enable_test. To do this, we use the following command:

[root@server ~]# firewall-cmd --permanent --new-zone=enable_test
success

This command creates a new, permanent zone titled enable_test. There are no services or ports added to enable_test yet. Therefore, no traffic is allowed in or out. If you have a configuration file that you normally use for firewall zone configs, you can use it by using this command:

[root@server ~]# firewall-cmd --permanent --new-zone-from-file=file --name=enable_test
success

Note 1: In --new-zone-from-file=file, file = the file path of the config.

Note 2: When creating zones, you must use the --permanent flag. You must also --reload the config for the changes to take place.

Assign an interface

Now that we have our new enable_test zone created, we need to associate a network interface with the zone. If we don't do this, we won't be able to use the new zone. I am going to associate it with the interface enp0s8.

Add the interface to the zone:

[root@server ~]# firewall-cmd --permanent --zone=enable_test --add-interface=enp0s8
success

Verify the interface association:

[root@server ~]# firewall-cmd --zone=enable_test --list-interfaces
enp0s8

If you need to remove the interface:

[root@server ~]# firewall-cmd --remove-interface=enp0s8 --zone=enable_test 
success

Advanced rule creation

Now, here is where things get interesting. There is a lot of flexibility in the rules you can create with firewalld. You aren't limited to just "deny this port," "allow this service," and so on... You can create highly complex rules for specific situations. These rules are known as rich rules.

Something to know about firewall rules—in general, they are made up of two parts:

1. Conditions that must be met before the rule can be enacted.
2. Actions to be carried out once those conditions are met. These actions are accept, reject, and drop.

Let's assume that we want to create a rule that states something like this:

Reject all FTP connections from Fedora client 2 (172.25.1.7)

[root@server ~]# firewall-cmd --zone=enable_test --add-rich-rule="rule \
family="ipv4" \
source address=172.25.1.7 \
service name=ftp \
reject \

Most of these options are self-explanatory; however, you must start with the keyword rule. The family option states the type of traffic to enact the rule on. If left blank, it will default to both IPv4 and IPv6 packets.

Need more info?

As you might have guessed, there are a huge number of options to create even more complex rules. Be sure to check out the firewalld documentation for further information. Hopefully, this look behind one of our most important curtains has been an enlightening experience. While firewalls and security systems are quite complex, at their most basic levels, they are just a set of rules—rules designed not to be broken.

[ Network getting out of control? Check out Network automation for everyone, a free book from Red Hat. ]