A network zone defines the level of trust for network connections. This is a one to many relation, which means that a connection can only be part of one zone, but a zone can be used for many network connections.
The zone defines the firewall features that are enabled in this zone:
A service is a combination of port and/or protocol entries. Optionally netfilter helper modules can be added and also a IPv4 and IPv6 destination address.
Ports and protocols
Definition of tcp or udp ports, where ports can be a single port or a port range.
Blocks selected Internet Control Message Protocol (ICMP) messages. These messages are either information requests or created as a reply to information requests or in error conditions.
The addresses of a private network are mapped to and hidden behind a public IP address. This is a form of address translation.
A forward port is either mapped to the same port on another host or to another port on the same host or to another port on another host.
Rich language rules
The rich language extends the elements (service, port, icmp-block, masquerade and forward-port) with additional source and destination addresses, logging, actions and limits for logs and actions. It can also be used for host or network white and black listing (for more information, please have a look at firewalld.richlanguage(5)).
For more information on the zone file format, please have a look at firewalld.zone(5).
Here are the zones provided by firewalld sorted according to the default trust level of the zones from untrusted to trusted:
Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.
Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated within this system are possible.
For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.
For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.
All network connections are accepted.
A public WIFI network connection for example should be mainly untrusted, a wired home network connection should be fairly trusted. Select the zone that best matches the network you are using.
To configure or add zones you can either use one of the firewalld interfaces to handle and change the configuration: These are the graphical configuration tool firewall-config, the command line tool firewall-cmd or the D-Bus interface. Or you can create or copy a zone file in one of the configuration directories. /usr/lib/firewalld/zones is used for default and fallback configurations and /etc/firewalld/zones is used for user created and customized configuration files.
The zone is stored into the ifcfg of the connection with ZONE=option. If the option is missing or empty, the default zone set in firewalld is used.
If the connection is controlled by NetworkManager, you can also use nm-connection-editor to change the zone.
firewalld home page:
More documentation with examples: