{"description": "Firewalls can be used to separate networks into different zones\nbased on the level of trust the user has decided to place on the devices and\ntraffic within that network. <tt>NetworkManager</tt> informs firewalld to which\nzone an interface belongs. An interface's assigned zone can be changed by\n<tt>NetworkManager</tt> or via the <tt>firewall-config</tt> tool.\n<br />\nThe zone settings in <tt>/etc/firewalld/</tt> are a range of preset settings\nwhich can be quickly applied to a network interface. These are the zones\nprovided by firewalld sorted according to the default trust level of the\nzones from untrusted to trusted:\n<ul>\n<li><tt>drop</tt><br /><p>Any incoming network packets are dropped, there is no\nreply. Only outgoing network connections are possible.</p></li>\n<li><tt>block</tt><br /><p>Any incoming network connections are rejected with an\n<tt>icmp-host-prohibited</tt> message for IPv4 and <tt>icmp6-adm-prohibited</tt>\nfor IPv6. Only network connections initiated from within the system are\npossible.</p></li>\n<li><tt>public</tt><br /><p>For use in public areas. You do not trust the other\ncomputers on the network to not harm your computer. Only selected incoming\nconnections are accepted.</p></li>\n<li><tt>external</tt><br /><p>For use on external networks with masquerading enabled\nespecially for routers. You do not trust the other computers on the network to\nnot harm your computer. Only selected incoming connections are accepted.</p></li>\n<li><tt>dmz</tt><br /><p>For computers in your demilitarized zone that are\npublicly-accessible with limited access to your internal network. Only selected\nincoming connections are accepted.</p></li>\n<li><tt>work</tt><br /><p>For use in work areas. You mostly trust the other computers\non networks to not harm your computer. Only selected incoming connections are\naccepted.</p></li>\n<li><tt>home</tt><br /><p>For use in home areas. You mostly trust the other computers\non networks to not harm your computer. Only selected incoming connections are\naccepted.</p></li>\n<li><tt>internal</tt><br /><p>For use on internal networks. You mostly trust the\nother computers on the networks to not harm your computer. Only selected\nincoming connections are accepted.</p></li>\n<li><tt>trusted</tt><br /><p>All network connections are accepted.</p></li>\n</ul>\n<br />\nIt is possible to designate one of these zones to be the default zone. When\ninterface connections are added to <tt>NetworkManager</tt>, they are assigned\nto the default zone. On installation, the default zone in firewalld is set to\nbe the public zone.\n<br />\nTo find out all the settings of a zone, for example the <tt>public zone,</tt>\nenter the following command as root:\n<pre># firewall-cmd --zone=public --list-all</pre>\nExample output of this command might look like the following:\n<pre>\n# firewall-cmd --zone=public --list-all\npublic\n  interfaces:\n  services: mdns dhcpv6-client ssh\n  ports:\n  forward-ports:\n  icmp-blocks: source-quench\n</pre>\nTo view the network zones currently active, enter the following command as root:\n<pre># firewall-cmd --get-service</pre>\nThe following listing displays the result of this command\non common Ubuntu 22.04 system:\n<pre>\n# firewall-cmd --get-service\namanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp\nhigh-availability http https imaps ipp ipp-client ipsec kerberos kpasswd\nldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn\npmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind\nsamba samba-client smtp ssh telnet tftp tftp-client transmission-client\nvnc-server wbem-https\n</pre>\nFinally to view the network zones that will be active after the next firewalld\nservice reload, enter the following command as root:\n<pre># firewall-cmd --get-service --permanent</pre>", "warnings": [], "requires": [], "conflicts": [], "values": {}, "groups": {}, "rules": ["package_firewalld_installed", "service_firewalld_enabled"], "platform": "", "platforms": [], "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "title": "Inspect and Activate Default firewalld Rules", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/network/network-firewalld/firewalld_activation/group.yml"}