Setting the services of a zone is the default way to configure the firewall. Each zone has predefined services assigned to it. To configure this setting further, you either add services to the zone or remove services from the zone.

To list predefined services, use the firewall-cmd --list-services command.

For example, the following command shows that the work zone has the cockpit, dhcpv6-client, and ssh services assigned to it:

sudo firewall-cmd --list-services --zone=work

cockpit dhcpv6-client ssh

To open access to a new service, use the --add-service service option. Optionally, include the --permanent option to make the rule persistent across reboots.

For example, to add the HTTP and NFS services to the work zone, you would use the following command:

sudo firewall-cmd --permanent --zone=work --add-service=http --add-service=nfs
sudo firewall-cmd --list-services --zone=work

cockpit dhcpv6-client ssh http nfs

To remove access to a service, use the --remove-service service option:

sudo firewall-cmd --permanent --zone=work --remove-service=cockpit
sudo firewall-cmd --list-services --zone=work 

dhcpv6-client ssh http nfs

Network traffic through the zone's services uses the ports of those services. Ports must be opened to accept traffic. You can open more ports for network access by specifying the port number and the associated protocol.

The --list-ports option lists the ports and associated protocols to which you have explicitly allowed access. However, ports that have been opened as a service aren't included in this command's output. Therefore, when listing ports, the best practice is to use the --list-all option to obtain more complete information.

Use the --add-port option to allow access to specific ports. Ports must be specified by using the format port-number/port-type. Port types can be tcp, udp, sctp, or dccp. Ensure that the type and the network traffic match, for example:

sudo firewall-cmd --permanent --zone=work --add-port=5353/udp --add-port=3689/tcp
sudo firewall-cmd --list-all --zone=work 

work
  target: default
  icmp-clock-inversion: no
  interfaces:
  sources:
  services: dhcpv6-client ssh http nfs 
  ports: 5353/udp 3689/tcp
...

Similarly, the --remove-port option removes access to a port. Remember to use the --permanent option to make the change persist.

For more information, see the firewall-cmd(1) manual page.

A system's network interface is automatically assigned to the default zone. In Oracle Linux, you can configure multiple zones with their specific services, ports, and so on. You then activate a specific zone's rules to become operative by assigning the interface to that zone. Thus, you have the flexibility to easily change the firewall rules that are active on the system by reassigning the network interface.

Suppose that you want to activate the firewall configuration of the work zone. You would assign the interface to the zone as follows:

sudo firewall-cmd --zone=work --change-interface=enp0s1
firewall-cmd --get-active-zone

work
  interfaces: enp0s1

You can change a system's default zone as follows:

sudo firewall-cmd --set-default-zone=work

You can also verify that the changes have been applied:

firewall-cmd --get-default-zone

To display the entire and final results of the configuration:

sudo firewall-cmd --zone=work --list-all

work (active)
  target: default
  interfaces:  enp0s1
  sources:
  services: dhcpv6-client ssh http nfs
  ports: 5353/udp 3689/tcp
...

The target setting establishes the default behavior of the firewall when managing incoming traffic. This zone setting is automatically configured to default for all the predefined zones. To change the default behavior of a zone, use the following command;

sudo firewall-cmd --zone=zone-name --set-target=ACCEPT|REJECT|DROP

You can specify the following options:

• ACCEPT accpets all incoming traffic except those you have set to be rejected in another rule.

• REJECT blocks all incoming traffic except those you have allowed in another rule. The source machine is informed about the rejecion.

• DROP is similar to REJECT but no notice of the rejection is sent to the source machine.

You can manage incoming traffic to a zone based on the traffic source. The two following two zone settings enable you to specify the origin of the packets:

• source identifies the sending node or network.

• source-ports identifies the port from which traffic originates.

To accept incoming traffic from a sending node, use the following command:

sudo firewall-cmd --zone=zone-name --add-source=IP-address                  

Note that the IP address can include the netmask in CIDR notation, such as 192.0.2.0/24.

Run the following command to transform the current runtime ruleset to a permanent ruleset:

sudo firewall-cmd --runtime-to-permanent

Omit this command if you're setting a temporary configuration that's dropped if the system is rebooted.

The following similar syntax is used to set the source-port setting:

sudo firewall-cmd --zone=<zone-name> --add-source-port=<portid>/<protocol>

You can combine different settings to configure the firewall. The trusted zone can be configured to accept HTTP traffic from the 192.0.2.0 network source, as shown in the following example:

sudo firewall-cmd --zone=trusted --add-source=192.0.2.0/24
sudo firewall-cmd --zone=trusted --add-service=http
sudo firewall-cmd --zone=trusted --list-all

trusted (active)
  target: ACCEPT
  sources: 192.0.2.0/24
  services: http