Hello team!
Documentation say https://firewalld.org/documentation/zone/options.html that firewalld zone has option "target" with possible values: ACCEPT|%%REJECT%%|DROP
The ACCEPT target is used in trusted zone to accept every packet not matching any rule. The %%REJECT%% target is used in block zone to reject (with default firewalld reject type) every packet not matching any rule. The DROP target is used in drop zone to drop every packet not matching any rule.
But firewall-cmd --list-all-zones give me a option "default" for target for some zones. What target "default" mean?
On Wed, Jan 29, 2020 at 07:29:10PM -0000, Mihail Pol wrote:
Hello team!
Documentation say https://firewalld.org/documentation/zone/options.html that firewalld zone has option "target" with possible values: ACCEPT|%%REJECT%%|DROP
The ACCEPT target is used in trusted zone to accept every packet not matching any rule. The %%REJECT%% target is used in block zone to reject (with default firewalld reject type) every packet not matching any rule. The DROP target is used in drop zone to drop every packet not matching any rule.
But firewall-cmd --list-all-zones give me a option "default" for target for some zones. What target "default" mean?
In most cases "default" can be thought equivalent to %%REJECT%%. That being said there are a couple scenarios where it behaves differently.
1) source-based zone fall-though/drift to interface-based zones
- This is known as "zone drifting" - If a packet ingress (INPUT) a source-based zone, it may still enter an interface-based zone (including the default zone)
2) For FORWARD traffic, packets that ingress a zone with a "default" target will be allowed based on the target of the egress zone.
A forwarded packet that ingresses zoneA and egresses zoneB.
- if zoneA target is "ACCEPT", "DROP", or "%%REJECT%%" the packet accepted, dropped, or rejected repectively. - if zoneA target is "default", then the packet is accepted/dropped/rejected based on zoneB's target.
Hope the above helps.
Eric.
firewalld-users@lists.fedorahosted.org