[CentOS] firewalld

Sat Jan 28 11:01:50 UTC 2017
Pete Biggs <pete at biggs.org.uk>

> The zone apparently means something because an interface can only be on one.
> Moving it to a different zone results in the same error (same services/ports
> opened in each zone).

The "zones" are just labels and are used to create kernel iptables.
Each zone has a default set of open and closed ports ranging from
"trusted" which accepts all packets to "public" which has everything
closed. You can modify the allowed ports and services on each zone at

Some of the zones have "special" features - "block" rejects all
packets, "drop" drops all packets, "external" has masquerading turned
on and so on.

If you have a single network, then that interface will, by default, be
put in the "public" zone, so most ports will be closed. That's fine,
just leave it in that zone, it's just a label/container.

You can list the services open in the default zone by doing 

  firewall-cmd --list-services

or for ports not services

  firewall-cmd --list-ports

or for a different zone

  firewall-cmd --zone=public --list-services

You can also find out which zones your interface(s) is in with

  firewall-cmd --get-active-zones

One of the gotchas with firewalld is that the changes are made in
either the current running iptables *or* the stored rules, not both. So
if you make a change to the running rule set, those changes won't be
kept the next time you restart firewalld. You can either use the '
--permanent' flag to set the stored rules (but it won't affect the
active rules) or the '--runtime-to-permanent' flag to copy the current
active rules to the stored ones.

The bottom line is that firewalld is just another application that
manipulates the kernel packet routing tables. Use something else if you
prefer it - some of the system tools assume firewalld, but if you are
aware of what's happening it shouldn't be an issue.

> I may as well disable firewalld and let my router handle the firewall.
If you are happy that there is nothing behind your firewall that could
cause a problem then that's an acceptable route.