From 8303e10ece79829a2abbb61f4e353ae17d995797 Mon Sep 17 00:00:00 2001 From: Eric Garver Date: Fri, 27 Mar 2020 14:25:47 -0400 Subject: [PATCH] doc: clarify --set-target values "default" vs "reject" Fixes: #590 (cherry picked from commit 1249b741781d424e03844b35a4545db69a282dfb) (cherry picked from commit 48a80a871b3e6be9abcc195c12b2860b4958c32b) --- doc/xml/firewall-cmd.xml.in | 36 ++++++++++++++++++++++++++++++++++++ doc/xml/firewall-offline-cmd.xml | 38 +++++++++++++++++++++++++++++++++++++- 2 files changed, 73 insertions(+), 1 deletion(-) diff --git a/doc/xml/firewall-cmd.xml.in b/doc/xml/firewall-cmd.xml.in index cd4aa47addb2..661bbdfe0c47 100644 --- a/doc/xml/firewall-cmd.xml.in +++ b/doc/xml/firewall-cmd.xml.in @@ -482,6 +482,42 @@ Set the target of a permanent zone. target is one of: default, ACCEPT, DROP, REJECT + + default is similar to REJECT, but has special meaning in the following scenarios: + + ICMP explicitly allowed + + At the end of the zone's ruleset ICMP packets are explicitly allowed. + + + + forwarded packets follow the target of the egress zone + + In the case of forwarded packets, if the ingress zone uses default then whether or not the packet will be allowed is determined by the egress zone. + + + For a forwarded packet that ingresses zoneA and egresses zoneB: + + + + if zoneA's target is ACCEPT, DROP, or REJECT then the packet is accepted, dropped, or rejected respectively. + + + if zoneA's target is default, then the packet is accepted, dropped, or rejected based on zoneB's target. If zoneB's target is also default, then the packet will be rejected by firewalld's catchall reject. + + + + + Zone drifting from source-based zone to interface-based zone + + This only applies if is enabled. See firewalld.conf5. + + + If a packet ingresses a source-based zone with a target of default, it may still enter an interface-based zone (including the default zone). + + + + diff --git a/doc/xml/firewall-offline-cmd.xml b/doc/xml/firewall-offline-cmd.xml index aeaf3dc0ebd5..9406833ed74d 100644 --- a/doc/xml/firewall-offline-cmd.xml +++ b/doc/xml/firewall-offline-cmd.xml @@ -572,7 +572,43 @@ =zone =zone - Set the target of a permanent zone. + Set the target of a permanent zone. target is one of: default, ACCEPT, DROP, REJECT + + + default is similar to REJECT, but has special meaning in the following scenarios: + + ICMP explicitly allowed + + At the end of the zone's ruleset ICMP packets are explicitly allowed. + + + + forwarded packets follow the target of the egress zone + + In the case of forwarded packets, if the ingress zone uses default then whether or not the packet will be allowed is determined by the egress zone. + + + For a forwarded packet that ingresses zoneA and egresses zoneB: + + + + if zoneA's target is ACCEPT, DROP, or REJECT then the packet is accepted, dropped, or rejected respectively. + + + if zoneA's target is default, then the packet is accepted, dropped, or rejected based on zoneB's target. If zoneB's target is also default, then the packet will be rejected by firewalld's catchall reject. + + + + + Zone drifting from source-based zone to interface-based zone + + This only applies if is enabled. See firewalld.conf5. + + + If a packet ingresses a source-based zone with a target of default, it may still enter an interface-based zone (including the default zone). + + + -- 1.8.3.1