BCE-C712 Linux System Administration

0 of 74 lessons complete (0%)

TCP/IP Firewall and IP Masquerade

Firewall Zones (firewalld)

You don’t have access to this lesson

Please register or sign in to access the course content.

In Linux, especially in distributions that use firewalld as the default firewall management tool (like Fedora and CentOS), the concept of “firewall zones” plays a crucial role in defining rules and policies for different network environments. Let’s delve into firewall zones and how they work:

What are Firewall Zones?

A firewall zone is a predefined set of rules that define the level of trust and access permissions for a specific network or interface. Each zone is associated with a particular network scenario or environment, such as “public”, “home”, “work”, “internal”, etc. The rules within a zone dictate how incoming and outgoing traffic is handled.

Common Firewall Zones:

  1. Public:
    • Suitable for networks that are considered untrusted, such as public Wi-Fi networks or the internet. Default settings are restrictive.
  2. Internal:
    • Typically used for trusted internal networks where you have control over all connected devices. Default settings may allow more communication.
  3. Home:
    • Intended for residential environments. It assumes a higher level of trust than “public” but still provides some protection.
  4. Work:
    • Geared towards corporate or business networks. It allows more communication than the “public” zone but still enforces certain restrictions.
  5. DMZ (Demilitarized Zone):
    • Used to isolate servers that need to be accessible from the internet, like web servers or email servers.
  6. Block:
    • All incoming connections are dropped without any reply. This is a very restrictive zone.
  7. Drop:
    • Similar to “Block”, but incoming connections are simply dropped without any reply. This provides a bit of stealth.

How Firewall Zones Work:

  1. Assigning Zones to Interfaces:
    • Each network interface on your system is assigned to a specific zone. This determines the set of rules that will be applied to the traffic passing through that interface.
  2. Defining Rules:
    • For each zone, you can define specific rules that dictate what kind of traffic is allowed or denied. These rules can include port openings, service access, and more.
  3. Default Zone:
    • There is a default zone which is used for any interface that doesn’t have a specific zone assigned. It’s important to set the default zone to the one that aligns with your network environment.

Changing Firewall Zones:

  1. List Available Zones:
    • View the list of available zones and their properties:
    • sudo firewall-cmd --get-zones
  2. Assign Zone to Interface:
    • To assign a zone to a specific interface (e.g., eth0):
    • sudo firewall-cmd --zone=public --change-interface=eth0
  3. Set Default Zone:
    • To set the default zone (e.g., to “public”):
    • sudo firewall-cmd --set-default-zone=public

Example Use Case:

Let’s say you have a server that is directly connected to the internet (eth0). You might want to set the zone for eth0 to “public” to apply more restrictive rules. If the server is also connected to an internal network (eth1), you might set the zone for eth1 to “internal” to allow more liberal communication within the internal network.


Firewall zones help define the level of trust and access permissions for different network environments. They allow you to customize firewall rules based on the specific requirements of each scenario, providing an added layer of security for your Linux system.