I've been struggling through some weird (to me) firewalld errors but am now seeing the firewall behavior I'd like. But, baffling to me, what works seems to be a mix of both the drop
zone and the trusted
[root@douglasii ~]# firewall-cmd --get-active-zones
drop
interfaces: eth0 veth879317c vethaff7c39 vethb2fec6e
trusted
sources: 192.168.0.0/16
[root@douglasii ~]# firewall-cmd --zone=drop --list-all
drop (default, active)
interfaces: eth0 veth879317c vethaff7c39 vethb2fec6e
sources:
services: ssh
ports: 443/tcp 80/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@douglasii ~]# firewall-cmd --zone=trusted --list-all
trusted
interfaces:
sources: 192.168.0.0/16
services: ssh
ports: 443/tcp 80/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
I was under the impression that you set zones one at a time using set-default-zone
. I see whichever one I do that for gets the "active" label. Is that not the case? Can multiple firewalld zones active at any given time? Do they all apply at the same time? What is a default zone? It's not clear to me from reading the docs on FirewallD.