firewalld ships with a set of predefined zones. I find it helpful to group them together when thinking about them as follows.

The end-user zones

An end-user system like a laptop or workstation would use these zones. public is the default default zone.

home
For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
public
For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
work
For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

The router zones

dmz
For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.
external
For use on external networks. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
internal
For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.

You'd use these if you were configuring a simple internet gateway. external is the only zone that has masquerading enabled by default, it seems you'd put your internet-attached interface in this zone.

The utility zones

block
Unsolicited incoming network packets are rejected. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.
drop
Unsolicited incoming network packets are dropped. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.
trusted
All network connections are accepted.

I guess you'd use block and drop for temporary purposes, like if you needed to hook up to a machine that might have been compromised for instance. Or I suppose you could set one of them to be the default zone for interfaces/connections that don't otherwise have a zone.

trusted is a good place to put your internal bridges that your virtual machines or containers are attached to, assuming you're running stuff in them that you... trust. It's the only zone with a target of ACCEPT, which causes its packets to be accepted while traversing the FORWARD_IN_ZONES chain (which happens *before* FORWARD_IN_ZONES is traversed!)


CategoryTechnote

robots.org.uk: FirewalldZones (last edited 2019-09-11 09:01:44 by sam)

© Sam Morris <sam@robots.org.uk>.
Content may be distributed and modified providing this notice is preserved.