Information
A firewall zone defines the trust level for a connection, interface or source address binding. This is a one to many relation, which means that a connection, interface or source can only be part of one zone, but a zone can be used for many network connections, interfaces and sources.
- The default zone is the zone that is used for everything that is not explicitly bound/assigned to another zone.
- If no zone assigned to a connection, interface or source, only the default zone is used.
- The default zone is not always listed as being used for an interface or source as it will be used for it either way. This depends on the manager of the interfaces.
Connections handled by NetworkManager are listed as NetworkManager requests to add the zone binding for the interface used by the connection. Also interfaces under control of the network service are listed also because the service requests it.
Note:
- A firewalld zone configuration file contains the information for a zone.
- These are the zone description, services, ports, protocols, icmp-blocks, masquerade, forward-ports and rich language rules in an XML file format.
- The file name has to be zone_name.xml where length of zone_name is currently limited to 17 chars.
- NetworkManager binds interfaces to zones automatically
Because the default zone is the zone that is used for everything that is not explicitly bound/assigned to another zone, if FirewallD is being used, it is important for the default zone to set
Solution
Run the following script to set the default zone:
!/usr/bin/env bash
{
l_zname="public" # <- Update to local site zone name if desired
l_zone=""
if systemctl is-enabled firewalld.service | grep -q 'enabled'; then
l_zone="$(firewall-cmd --get-default-zone)"
if [ "$l_zone" = "$l_zname" ]; then
echo -e "
- The default zone is set to: \"$l_zone\"
- No remediation required"
elif [ -n "$l_zone" ]; then
echo -e "
- The default zone is set to: \"$l_zone\"
- Updating default zone to: \"l_zname\""
firewall-cmd --set-default-zone="$l_zname"
else
echo -e "
- The default zone is set to: \"$l_zone\"
- Updating default zone to: \"l_zname\""
firewall-cmd --set-default-zone="$l_zname"
fi
else
echo -e "
- FirewallD is not in use on the system
- No remediation required"
fi
}