How to manage zones on CentOS 7 with firewalld

Jack Wallen shows you how to extend the flexibility of the CentOS 7 firewall with firewalld zones.

centoshero.jpg
Image: CentOS

Your firewall is a crucial component from preventing unwanted people from gaining access to your data. On a CentOS server, firewalld can easily be made responsible for serving as your complete firewall solution. This tool is highly capable, with features that extend your server's security in ways that were significantly more challenging with iptables.

One particular concept found in firewalld is that of zones. Zones are predefined sets of rules that specify what traffic should be allowed, based on trust levels for network connections. For example, you can have zones for home, public, trusted, etc. Zones work on a one-to-many relation, so a connection can only be part of a single zone, but a zone can be used for many network connections. Different network interfaces and sources can be assigned to specific zones.

SEE: Information security policy (Tech Pro Research)

There are a number of zones provided by firewalld:

  • drop: All incoming connections are dropped without notification, whereas all outgoing connections are allowed.
  • block: All incoming connections are rejected with an icmp-host-prohibited message, whereas all outgoing connections are allowed.
  • public: This zone is intended to be used in untrusted public areas. Other computers on this network are not to be trusted.
  • external: This zone is intended to be used on external networks with NAT masquerading enabled.
  • internal: This zone is intended to be used on internal networks when your system acts as a gateway or router. Other systems on this network are generally trusted.
  • dmz: This zones is intended to be used for computers located in your demilitarized zone that will have limited access to the rest of your network.
  • work: This zone is intended to be used for work machines. Other systems on this network are generally trusted.
  • home: This zone is intended to be used for home machines. Other systems on this network are generally trusted.
  • trusted: All network connections are accepted and other systems are trusted.

You can easily assign an interface to one of the above zones, but there is one thing to be taken care of first .

Installing firewalld

You might be surprised to find out that firewalld isn't installed by default. To fix that issue, open a terminal window and issue the following command:

sudo yum install firewalld

Once that installation completes, you'll need to start and enable firewalld with the commands:

sudo systemctl start firewalld
sudo systemctl enable firewalld

Viewing and changing the zones

The first thing you should do is view the default zone. Issue the command:

sudo firewall-cmd --get-default-zone

You will probably see that the default zone is set to public. If you want more information about that zone, issue the command:

sudo firewall-cmd --zone=public --list-all

You should see all the pertinent details about the public zone (Figure A).

Figure A

Figure A

Information about our default zone.


Let's change the default zone. Say, for instance, you want to change the zone to work. Let's first find out what zones are being used by our network interface(s). For that, issue the command:

sudo firewall-cmd --get-active-zones

You should see something like that found in Figure B.

Figure B

Figure B

Both eth0 and eth1 are assigned to the public zone.


Let's get a listing of our available zones with the command:

sudo firewall-cmd --get-zones

You should see all zones listed. Let's say you want to change the eth0 interface to the work zone. To do that, issue the command:

sudo firewall-cmd --zone=work --change-interface=eth0

You should see "success" reported. You can now check the application by again issuing the command:

sudo firewall-cmd --get-active-zones

The eth0 interface is now attached to the work zone (Figure C).

Figure C

Figure C

Our new zone assignment was a success.


Now that eth0 is attached to work, it will generally trust all other systems attached to the same zone. You can then change eth1 to another zone with the same concept.

Easy zone management

And that's how easy it is to manage zones with firewalld. Once you have a solid understanding of how each zone works, you'll know exactly which zone to apply to various interfaces on your CentOS 7 servers. Anyone looking to add more flexibility to their CentOS 7 server security, should consider this a must-have feature.

Also see

By Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.