firewalld-zones-centos7
Table of Contents
Using firewalld to create zones with subnets on CentOS 7
Configuration
Remove all default rules
firewall-cmd --permanent --zone=home --remove-service=dhcpv6-client firewall-cmd --permanent --zone=home --remove-service=ipp-client firewall-cmd --permanent --zone=home --remove-service=mdns firewall-cmd --permanent --zone=home --remove-service=samba-client firewall-cmd --permanent --zone=home --remove-service=ssh
firewall-cmd --permanent --zone=internal --remove-service=dhcpv6-client firewall-cmd --permanent --zone=internal --remove-service=ipp-client firewall-cmd --permanent --zone=internal --remove-service=mdns firewall-cmd --permanent --zone=internal --remove-service=samba-client firewall-cmd --permanent --zone=internal --remove-service=ssh
firewall-cmd --permanent --zone=work --remove-service=dhcpv6-client firewall-cmd --permanent --zone=work --remove-service=ipp-client firewall-cmd --permanent --zone=work --remove-service=ssh
firewall-cmd --permanent --zone=public --remove-service=dhcpv6-client firewall-cmd --permanent --zone=public --remove-service=ssh
firewall-cmd --permanent --zone=external --remove-service=ssh firewall-cmd --permanent --zone=external --remove-masquerade
firewall-cmd --permanent --zone=dmz --remove-service=ssh
Create new zones
firewall-cmd --permanent --new-zone=management firewall-cmd --permanent --new-zone=local
Add subnets to zones
firewall-cmd --permanent --zone=public --add-source=0.0.0.0/0 firewall-cmd --permanent --zone=public --add-source=::/0
firewall-cmd --permanent --zone=dmz --add-source=185.106.153.224/29 firewall-cmd --permanent --zone=dmz --add-source=2a02:22a0:bbb7:400::/64 firewall-cmd --permanent --zone=dmz --add-source=192.168.10.0/24 firewall-cmd --permanent --zone=dmz --add-source=2a02:22a0:bbb7:401::/64
firewall-cmd --permanent --zone=local --add-source=172.16.3.0/24 firewall-cmd --permanent --zone=local --add-source=2a02:22a0:bbb7:403::/64
firewall-cmd --permanent --zone=management --add-source=172.16.2.0/24 firewall-cmd --permanent --zone=management --add-source=2a02:22a0:bbb7:402::/64
Create additional services
- /etc/firewalld/services/check-mk-agent.xml
<?xml version="1.0" encoding="utf-8"?> <service> <short>check-mk-agent</short> <description>Check_MK Agent</description> <port protocol="tcp" port="6556"/> </service>
Enable services on zones
firewall-cmd --permanent --zone=management --add-service=ssh firewall-cmd --permanent --zone=local --add-service=ssh
firewall-cmd --permanent --zone=management --add-rich-rule="rule family="ipv4" \ source address="172.16.4.14" service name="check-mk-agent" accept" firewall-cmd --permanent --zone=management --add-rich-rule="rule family="ipv6" \ source address="2a00:1630:59:4::14" service name="check-mk-agent" accept"
Set default zone
firewall-cmd --set-default-zone=public
Examples
Web server
A web-server allowing connections on service http and https matching zones dmz and local. Remember sources in a zone other than dmz and local cannot connect to the http and https service.
firewall-cmd --permanent --zone=local --add-service=http firewall-cmd --permanent --zone=local --add-service=https firewall-cmd --permanent --zone=dmz --add-service=http firewall-cmd --permanent --zone=dmz --add-service=https
firewalld-zones-centos7.txt · Last modified: by herwarth
