Home Operating Systems Linux Firewalld on RHEL 7

Firewalld on RHEL 7

The following was taken from https://www.linuxjournal.com/content/understanding-firewalld-multi-zone-configurations

A Practical Multi-Zoned Example

Suppose you are setting up a firewall for a server at your organization. You want the entire world to have http and https access, your organization (1.1.0.0/16) and workgroup (1.1.1.0/8) to have ssh access, and your workgroup to have samba access. Using zones in firewalld, you can set up this configuration in an intuitive manner.

Given the naming, it seems logical to commandeer the public zone for your world-wide purposes and the internal zone for local use. Start by replacing the dhcpv6-client and ssh services in the public zone with http and https:

    • firewall-cmd –permanent –zone=public –remove-service=dhcpv6-client
    • firewall-cmd –permanent –zone=public –remove-service=ssh
    • firewall-cmd –permanent –zone=public –add-service=http
    • firewall-cmd –permanent –zone=public –add-service=https

Then trim mdns, samba-client and dhcpv6-client out of the internal zone (leaving only ssh) and add your organization as the source:

    • firewall-cmd –permanent –zone=internal –remove-service=mdns
    • firewall-cmd –permanent –zone=internal –remove-service=samba-client
    • firewall-cmd –permanent –zone=internal –remove-service=dhcpv6-client
    • firewall-cmd –permanent –zone=internal –add-source=1.1.0.0/16

To accommodate your elevated workgroup samba privileges, add a rich rule:

    • firewall-cmd –permanent –zone=internal –add-rich-rule=’rule
    • ↪family=ipv4 source address=”1.1.1.0/8″ service name=”samba”
    • ↪accept’

Finally, reload, pulling the changes into the active session:

    • firewall-cmd –reload



This setup demonstrates a three-layer nested firewall. The outermost layer, public, is an interface zone and spans the entire world. The next layer, internal, is a source zone and spans your organization, which is a subset of public. Finally, a rich rule adds the innermost layer spanning your workgroup, which is a subset of internal.

The take-away message here is that when a scenario can be broken into nested layers, the broadest layer should use an interface zone, the next layer should use a source zone, and additional layers should use rich rules within the source zone.

Comments are closed.