FIREWALLD.POLICY-(5) Firewalld Policy Set Gateway FIREWALLD.POLICY-(5)

firewalld.policy-set-gateway - Firewalld Policy Set Gateway

The Gateway policy set is a useful starting point for a home router. It enables masquerading, conntrack helpers, and forwarding between zones.

Zones used by this set are logically grouped. These groups name are used by the predefined policies.

            +-----------+                  +-----------+
            |    LAN    |                  |   WORLD   |
            |-----------|                  |-----------|
            | zones:    |                  | zones:    |
            |  internal |                  |  external |
            |  home     |                  |  public   |
            |  trusted  |                  |           |
            +-----------+                  +-----------+
                  |                              |
                  |                              |
                  |         +-----------+        |
                  +---------|   HOST    |--------+
                            |-----------|
                            | zones:    |
                  +---------|  HOST     |--------+
                  |         +-----------+        |
                  |                              |
                  |                              |
            +-----------+                  +-----------+
            |   WORK    |                  |    DMZ    |
            |-----------|                  |-----------|
            | zones:    |                  | zones:    |
            |  work     |                  |  dmz      |
            +-----------+                  +-----------+

gateway-dmz-to-HOST

Enables services commonly needed for a gateway, e.g. dns, dhcp.

File location: /usr/lib/firewalld/policies/gateway-dmz-to-HOST.xml

gateway-lan-to-work

Allows all traffic from LAN to work. Enables masquerading and common connection tracking helpers.

File location: /usr/lib/firewalld/policies/gateway-lan-to-work.xml

gateway-lan-to-world

Allows all traffic from LAN to world. If an interface is added to the "external" zone then the traffic will be masqueraded. Also enables connection tracking helpers for common services, e.g. ftp.

File location: /usr/lib/firewalld/policies/gateway-lan-to-world.xml

gateway-lan-to-HOST

Enables services commonly needed for a gateway, e.g. dns, dhcp.

File location: /usr/lib/firewalld/policies/gateway-lan-to-HOST.xml

gateway-world-to-HOST

May be used to expose internal/dmz services to the world by adding a forward port to this policy.

Here is an example for adding a forward port. It forward port 8080 to 10.1.1.42:80.

# firewall-cmd --permanent --policy gateway-world-to-HOST \
               --add-forward-port=port=8080:proto=tcp:toport=80:toaddr=10.1.1.42
# firewall-cmd --reload

File location: /usr/lib/firewalld/policies/gateway-world-to-HOST.xml

firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1), firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5), firewalld.icmptype(5), firewall-offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5), firewalld.zone(5), firewalld.zones(5), firewalld.policy(5), firewalld.policies(5), firewalld.ipset(5), firewalld.helper(5)

firewalld home page:

http://firewalld.org

Thomas Woerner <twoerner@redhat.com>

Developer

Jiri Popelka <jpopelka@redhat.com>

Developer

Eric Garver <eric@garver.life>

Developer
firewalld 2.4.0