[LINUX] Easy setting of Firewalld in multi-zone


The other day, I wrote an article "Allow ssh only for specific IP addresses with firewalld" (https://qiita.com/kimisyo/items/553d8879808834077fb1), but using the option -add-rich-rule Correspondence by the special rule of Gorigori was caught. Firewalld is a relatively new library that succeeds iptables, and there should be a more sophisticated and better way to do it.

As a result of various investigations there, there was. Its name is ** multi-zone ** function. By using this function, I found that it can be set quite flexibly and efficiently, so I would like to share what I investigated this time.


Benefits of Firewalld

First, let's review what Firewalld is good for. According to reference [1], the advantages of Firewall over iptables are:

--Rules such as deny and allow can be defined for each zone defined by the source IP and network interface. --Syntax simplification because you can specify the name of the service instead of the port or protocol --You don't have to worry about the order of statements like iptables. --The reload function allows you to change settings interactively, such as temporarily changing them.

Indeed, it seems important to make good use of ** zones **. By the way, my last article forced a rule to be added to the public zone.

What is a zone

Next, let's look at zones. Again, reference [1] shows that ** Intarface ** and ** Source ** are important concepts in understanding zones.

Interface --Intaface is the system name for hardware and virtual network adapters. --All active Intafaces are assigned to either the default zone or the user-specified zone. --Intaface cannot be assigned to multiple zones **. --By default, firewalld associates all Interfaces with public zones and does not set Source in any zone. As a result, the public zone is ** the only ** active zone.


--Source is the source IP address range, which can also be assigned to a zone. --Source cannot be assigned to multiple zones **. This is because once this is done, it is not possible to know which rule should be applied to that Source. --There is not always a zone with a Source that matches a Source. In that case, it is processed according to some priority, but details will be described later.

I haven't explained the zone itself, but did you understand it somehow?

So what is multi-zone?

Multi-Zone is a term used in reference [1], but in short, it is good to use ** multiple active zones ** instead of just one zone. ** Think of it as a way to set rules.

Often taken care of, according to reference [1], the rules for applying Firewalld in the case of multi-zone are roughly as follows. (Note) It's written quite a bit, so if you want to understand it exactly, see Reference [1] or the Firewalld manual.

--The active zone has different roles depending on whether it is a zone associated with Intaface or a zone associated with Source. However, it is possible to play both roles. --Firewalld processes packets in the following order:

  1. If there is a zone with a Source corresponding to the packet (may not be), it will be processed in this zone because the packet meets the Rich Rule, the service is whitelisted, etc. If it ends. If not, proceed to the next.
  2. It ends if it is processed by the zone that has the Interface corresponding to the packet. If not, proceed to the next.
  3. Firewalld default actions apply. That is, icmp packets are accepted and everything else is rejected.

The important thing is that the Source zone takes precedence over the Interface zone. Therefore, a common design pattern for multi-zone configurations is to allow a specific IP to access a specific service in the Source zone and restrict access to all other users in the Interface zone. become.

Let's try with a pseudo configuration

Now, let's try based on an example from the next.

Network configuration

This time, I would like to proceed with this configuration.


Let me give you an overview.

--The colored WEB server is the server that sets Firwalld this time. --The WEB server provides services on the Internet via http / https. --The backup server is a server that backs up the system of the WEB server, and accesses the MySQL server and NFS server on the WEB server. --The maintenance terminal is a terminal that performs maintenance on the WEB server, and connects to the WEB server with ssh. ――I think there are some rumors that you shouldn't connect to the DMZ or that the global IP address is wrong, but this time I'd like to keep it simple.

Firewalld rules you want to realize

So, if you write it in sentences, it will be ambiguous, so let's make a table of the rules that allow packets on the WEB server.

sender protocol Zone name Zone role
ANY https, http public Interface zone mysql, nfs share Source zone ssh mainte Source zone

It is a rule to reject everything except the above. In addition, there are already "zone name" and "zone role" columns in the table, and there are descriptions of zones with names such as public, share, mainte, but from now on, ** these multi-zones ** will actually apply the above rules. Let's set it.

Public zone settings

The public zone feels like modifying the default one.

firewall-cmd --permanent --zone=public --remove-service=dhcpv6-client
firewall-cmd --permanent --zone=public --remove-service=cockpit
firewall-cmd --permanent --zone=public --remove-service=ssh
firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --permanent --zone=public --set-target=DROP
firewall-cmd --reload

--First of all, the above three lines were included in the public zone as a service from the beginning, so they have been deleted (if they are not included, please ignore them). --The 4th and 5th lines are the settings to allow https and http for all users. ――The 6th line is ssh measures. It seems that it is safer to do DROP instead of DENY when trying to SSH into the server from an IP outside the internal zone. (This will prevent pinging, but see reference [1] for a workaround.)

mainte zone settings

Since the mainte zone does not exist originally, create it newly and set it.

firewall-cmd --permanent --new-zone=mainte
firewall-cmd --permanent --zone=mainte --add-service=ssh
firewall-cmd --permanent --zone=mainte --add-source=
firewall-cmd --reload

The second line specifies ssh as the service allowed, and the third line specifies the maintenance terminal IP as the source IP allowed.

share zone settings

Since the share zone does not exist originally, it is set after creating a new one.

firewall-cmd --permanent --new-zone=share		
firewall-cmd --permanent --zone=share --add-port=2049/tcp		
firewall-cmd --permanent  --zone=share --add-port=3306/tcp		
firewall-cmd --permanent --zone=share  --add-source=		
firewall-cmd --reload		

The 2nd and 3rd lines specify the nfs and mysql ports as the permitted ports, and the 4th line specifies the backup server IP as the permitted source IP.


First, let's run nmap from the maintenance terminal.

[[email protected] ~]$ nmap
Starting Nmap 7.70 ( https://nmap.org ) at 2020-10-25 20:59 JST
Nmap scan report for
Host is up (0.00063s latency).
Not shown: 997 filtered ports
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https

Certainly you can see ssh in addition to the http / https port. (On the contrary, nfs and mysql are not visible)

Next, let's run nmap from the backup server.

(base) [email protected]:~$ nmap
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-25 11:59 UTC
Nmap scan report for
Host is up (0.0011s latency).
Not shown: 996 filtered ports
80/tcp   open  http
443/tcp  open  https
2049/tcp open  nfs
3306/tcp open  mysql

In addition to the http / https ports, you can see 2049 / tcp and 3306 / tcp. (On the contrary, ssh is not visible)

in conclusion

Finally, I will summarize the merits of multi-zone that I actually felt.

――In one zone, if there are many combinations of protocol (service) and source IP address, the effect of changing the service or source IP is large, but in multi-zone, only add-service or add-source is added to the zone. It's enough. For example, if you want to add another terminal to the maintenance terminal in this example, just add a rule like firewall-cmd --permanent --zone = mainte --add-source = It's done. --As mentioned in reference [1], you can easily exclude specific IPs that are accessed illegally. Specifically, all you have to do is create a DROP zone that DROPs all connections, and add the IP you want to exclude with add-source to that zone. --It is possible to add or remove permitted services to the source IP group included in a certain zone at once. ――The flexibility is infinite. If you want to know more, please see the references and the Firewalld documentation.


Recommended Posts

Easy setting of Firewalld in multi-zone
Gacha written in python-Addition of period setting function-
Settings for easy selection of multiple kernels in Jupyter
Handling of quotes in [bash]
Partial in case of trouble
Japanese localization setting of PyCharm
List of nodes in diagrams
Equivalence of objects in Python
Easy password box in Python
Implementation of quicksort in Python