> -----Original Message----- > From: CentOS [mailto:centos-bounces at centos.org] On Behalf Of Pete Biggs > Sent: Saturday, January 28, 2017 6:02 AM > To: centos at centos.org > Subject: Re: [CentOS] firewalld > > > > > > The zone apparently means something because an interface can only be on > one. > > Moving it to a different zone results in the same error (same > > services/ports opened in each zone). > > The "zones" are just labels and are used to create kernel iptables. > Each zone has a default set of open and closed ports ranging from "trusted" > which accepts all packets to "public" which has everything closed. You can > modify the allowed ports and services on each zone at will. > > Some of the zones have "special" features - "block" rejects all packets, > "drop" drops all packets, "external" has masquerading turned on and so on. > > If you have a single network, then that interface will, by default, be put in the > "public" zone, so most ports will be closed. That's fine, just leave it in that > zone, it's just a label/container. > > You can list the services open in the default zone by doing > > firewall-cmd --list-services > > or for ports not services > > firewall-cmd --list-ports > > or for a different zone > > firewall-cmd --zone=public --list-services > > You can also find out which zones your interface(s) is in with > > firewall-cmd --get-active-zones > > One of the gotchas with firewalld is that the changes are made in either the > current running iptables *or* the stored rules, not both. So if you make a > change to the running rule set, those changes won't be kept the next time > you restart firewalld. You can either use the ' > --permanent' flag to set the stored rules (but it won't affect the active rules) > or the '--runtime-to-permanent' flag to copy the current active rules to the > stored ones. > > The bottom line is that firewalld is just another application that manipulates > the kernel packet routing tables. Use something else if you prefer it - some > of the system tools assume firewalld, but if you are aware of what's > happening it shouldn't be an issue. > > > > > I may as well disable firewalld and let my router handle the firewall. > > > If you are happy that there is nothing behind your firewall that could cause a > problem then that's an acceptable route. > > P. Thanks, That's a better explanation of things than I have read so far. Yes, initially I wasn't adding the --permanent to the rules but I wasn't doing really any reboots. I did a few --reloads so that may have gotten me. I have zoneminder, dns, and urbackup working. I can ssh and scp in from work but mail is being a pain. Thanks