How to Manage Firewall Zones in Rocky Linux
Your firewall is there to protect your server from intrusions and similar issues. With Rocky Linux, that job is handled by firewalld, which is a powerful and flexible tool that allows you to prevent unwanted attacks.
Firewalld includes a feature that many businesses depend on. That feature is called zones, which are pre-defined rules that specify what traffic is allowed based on trust levels for individual network connections.
There are several zones available for firewalld, including the following drop (incoming connections are dropped without notification and outgoing connections are allowed through), block (incoming connections are rejected with an icmp-host-prohibited message and outgoing connections are allowed), public (any machine in this zone is not trusted), external (used for external networks with NAT masquerading enabled), internal (machines on this network are trusted), dmz (used for computers that will have limited access to your LAN), work (used for work machines that are trusted), home (sed for home machines that are generally trusted), and trusted (all machines are trusted).
With firewalld, you can assign any interface to one of the zones to give you more control over what the associated machine can access and if it is to be trusted. Another great feature of zones is that they allow you to assign different network interfaces to different zones. For example, you might have two interfaces on one server and want to use one for the work zone and one for the public zone. Or maybe one is assigned to the internal zone and one to the external zone. The external zone might be incoming HTTP traffic, and the internal zone might be all other traffic.
Let's do just that—assign two different zones to two different network interfaces on Rocky Linux.
View the default zone
The first thing we'll do is view the default zone with the command:
sudo firewall-cmd --get-default-zone
You should see something like this in the output:
public
That means the default zone is public. You can access even more information about that zone with the command:
sudo firewall-cmd --zone=public --list-all
The output should look something like this:
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: cockpit dhcpv6-client ssh vnc-server
ports: 67/udp 80/tcp
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Changing interfaces for a zone
Let's say you have interfaces enp0s3 and enp2s0. You want to assign enp0s3 to the internal zone and enp2s0 to the external zone. First, let's assign enp0s3 to the internal zone with the command:
sudo firewall-cmd --zone=internal --change-interface=enp0s3
Next, let's change the enp2s0 interface to the external zone with the command:
sudo firewalld-cmd --zone=external --change-interface=enp2s0
You can view and verify the changes with the command:
sudo firewall-cmd --get-active-zones
Opening ports for a zone
You will also need to open specific ports for specific zones. Let's say, for example, that you want to open the HTTP ports (80 and 443) for the external zone and the SSH (22) for the internal zone.
First, open the HTTP ports for the external zone with the following commands:
sudo firewall-cmd --zone=external --add-service=HTTP
sudo firewall-cmd --zone=external --add-service=HTTPS
Next, we allow SSH through the internal zone with:
sudo firewall-cmd --zone=internal --add-service=SSH
Once you've run those commands, reload the firewall with:
sudo firewall-cmd --reload
At this point, the external zone will allow both HTTP and HTTPS traffic in through interface enp2s0, whereas the internal zone will allow SSH traffic through interface enp0s3.
Blocking an IP address with the drop zone
Let's say you notice unwanted traffic hitting your external zone from a specific IP address. You can block that source by adding it to the drop zone with the command:
sudo firewall-cmd --permanent --zone=drop --add-source=IP
Where IP is the unwanted IP address.
And that's the basics of using firewall zones in Rocky Linux! Once you get used to working with this feature, you'll find it to be incredibly helpful in shaping the network traffic allowed into your machines and/or network.
