======Using firewalld to create zones with subnets on CentOS 7======
=====Configuration=====
====Remove all default rules====
  firewall-cmd --permanent --zone=home --remove-service=dhcpv6-client
  firewall-cmd --permanent --zone=home --remove-service=ipp-client
  firewall-cmd --permanent --zone=home --remove-service=mdns
  firewall-cmd --permanent --zone=home --remove-service=samba-client
  firewall-cmd --permanent --zone=home --remove-service=ssh

  firewall-cmd --permanent --zone=internal --remove-service=dhcpv6-client
  firewall-cmd --permanent --zone=internal --remove-service=ipp-client
  firewall-cmd --permanent --zone=internal --remove-service=mdns
  firewall-cmd --permanent --zone=internal --remove-service=samba-client
  firewall-cmd --permanent --zone=internal --remove-service=ssh

  firewall-cmd --permanent --zone=work --remove-service=dhcpv6-client
  firewall-cmd --permanent --zone=work --remove-service=ipp-client
  firewall-cmd --permanent --zone=work --remove-service=ssh

  firewall-cmd --permanent --zone=public --remove-service=dhcpv6-client
  firewall-cmd --permanent --zone=public --remove-service=ssh

  firewall-cmd --permanent --zone=external --remove-service=ssh
  firewall-cmd --permanent --zone=external --remove-masquerade

  firewall-cmd --permanent --zone=dmz --remove-service=ssh

====Create new zones====
  firewall-cmd --permanent --new-zone=management
  firewall-cmd --permanent --new-zone=local

====Add subnets to zones====

  firewall-cmd --permanent --zone=public --add-source=0.0.0.0/0
  firewall-cmd --permanent --zone=public --add-source=::/0

  firewall-cmd --permanent --zone=dmz --add-source=185.106.153.224/29
  firewall-cmd --permanent --zone=dmz --add-source=2a02:22a0:bbb7:400::/64
  firewall-cmd --permanent --zone=dmz --add-source=192.168.10.0/24
  firewall-cmd --permanent --zone=dmz --add-source=2a02:22a0:bbb7:401::/64


  firewall-cmd --permanent --zone=local --add-source=172.16.3.0/24
  firewall-cmd --permanent --zone=local --add-source=2a02:22a0:bbb7:403::/64

  firewall-cmd --permanent --zone=management --add-source=172.16.2.0/24
  firewall-cmd --permanent --zone=management --add-source=2a02:22a0:bbb7:402::/64

====Create additional services====
<code - /etc/firewalld/services/check-mk-agent.xml>
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>check-mk-agent</short>
  <description>Check_MK Agent</description>
  <port protocol="tcp" port="6556"/>
</service>
</code>

====Enable services on zones====
  firewall-cmd --permanent --zone=management --add-service=ssh
  firewall-cmd --permanent --zone=local --add-service=ssh

  firewall-cmd --permanent --zone=management --add-rich-rule="rule family="ipv4" \
  source address="172.16.4.14" service name="check-mk-agent" accept"
  firewall-cmd --permanent --zone=management --add-rich-rule="rule family="ipv6" \
  source address="2a00:1630:59:4::14" service name="check-mk-agent" accept"


====Set default zone====
  firewall-cmd --set-default-zone=public

=====Examples=====
====Web server====
A web-server allowing connections on service http and https matching zones dmz and local. Remember sources in a zone other than dmz and local cannot connect to the http and https service.

  firewall-cmd --permanent --zone=local --add-service=http
  firewall-cmd --permanent --zone=local --add-service=https
  firewall-cmd --permanent --zone=dmz --add-service=http
  firewall-cmd --permanent --zone=dmz --add-service=https


{{tag>centos}}