How to create a firewalld zone

A custom firewalld zone gives one traffic group its own services, ports, rich rules, and forwarding settings instead of overloading a built-in zone such as public. Create the zone before binding interfaces or sources to it so the rule set is visible and reviewable before it handles traffic.

The example creates a permanent app-internal zone, adds a short description, and allows SSH as the first service. A new zone is a saved policy object only; it does not become active until an interface, source, or default-zone setting sends traffic to it.

Zone names can use letters, numbers, underscores, and hyphens, and current zone-file documentation limits the zone filename length. Use a short name that describes the trust boundary rather than the first host that happens to use it.

Related: Assign a source to a firewalld zone
Related: Assign a network interface to a firewalld zone
Related: Allow a service in firewalld

Steps to create a firewalld zone:

  1. Confirm that firewalld is running before changing zone configuration. 
    $ sudo firewall-cmd --state
running

    Related: Enable and start the firewalld service

  2. List existing zones before choosing the new name. 
    $ sudo firewall-cmd --get-zones
block dmz drop external home internal public trusted work
  3. Create the permanent custom zone. 
    $ sudo firewall-cmd --permanent --new-zone=app-internal
success

    The zone is created in permanent configuration. It will not appear in runtime commands until firewalld is reloaded.

  4. Set a short label for the custom zone. 
    $ sudo firewall-cmd --permanent --zone=app-internal --set-short="Application internal"
success
  5. Set a description that names the traffic boundary. 
    $ sudo firewall-cmd --permanent --zone=app-internal --set-description="Internal application traffic"
success
  6. Add the first allowed service to the zone. 
    $ sudo firewall-cmd --permanent --zone=app-internal --add-service=ssh
success

    Only add services that should be reachable by traffic assigned to this zone. A zone can be created without services when the binding should start closed.

  7. Validate the permanent firewalld configuration. 
    $ sudo firewall-cmd --check-config
success
  8. Reload firewalld so the new zone becomes available at runtime. 
    $ sudo firewall-cmd --reload
success
  9. Verify that the new zone is listed. 
    $ sudo firewall-cmd --get-zones
app-internal block dmz drop external home internal public trusted work
  10. Inspect the new zone. 
    $ sudo firewall-cmd --zone=app-internal --list-all
app-internal
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh
  ports:
  protocols:
  forward: no
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
  11. Assign an interface or source only after the zone policy is ready.

    Use an interface binding for a whole link, or a source binding when one address range needs this zone while the interface keeps a different default.
    Related: Assign a network interface to a firewalld zone
    Related: Assign a source to a firewalld zone