I've been struggling through some weird (to me) firewalld errors but am now seeing the firewall behavior I'd like. But, baffling to me, what works seems to be a mix of both the drop
zone and the trusted
[root@douglasii ~]# firewall-cmd --get-active-zones
drop
interfaces: eth0 veth879317c vethaff7c39 vethb2fec6e
trusted
sources: 192.168.0.0/16
[root@douglasii ~]# firewall-cmd --zone=drop --list-all
drop (default, active)
interfaces: eth0 veth879317c vethaff7c39 vethb2fec6e
sources:
services: ssh
ports: 443/tcp 80/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@douglasii ~]# firewall-cmd --zone=trusted --list-all
trusted
interfaces:
sources: 192.168.0.0/16
services: ssh
ports: 443/tcp 80/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
I was under the impression that you set zones one at a time using set-default-zone
. I see whichever one I do that for gets the "active" label. Is that not the case? Can multiple firewalld zones active at any given time? Do they all apply at the same time? What is a default zone? It's not clear to me from reading the docs on FirewallD.
From my recent experience, you can have
So if you have multiple interfaces you can assign each to its own zone or all interfaces to one zone, manipulate individual zones (thereby the interfaces) independently, and still have a default zone different from what the interfaces are assigned. The default zone i believe would come in handy to catch an interface thats not been assigned to any zone.