13

I was unable to remove any preconfigured zones.

[root@fabian ~]# firewall-cmd --permanent --delete-zone=block
Error: BUILTIN_ZONE: block
[root@fabian ~]#

Is there a way I can do that? If I just remove coresponding zone files, firewalld won't start.

If this cannot be done, why on earth one can not get rid of this builtin zones? Just looking at predefined empty firewall makes me puke:

[root@fabian ~]# firewall-cmd --list-all-zones
block
  interfaces: 
  sources: 
  services: 
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 

dmz
  interfaces: 
  sources: 
  services: 
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 

drop
  interfaces: 
  sources: 
  services: 
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 

external (active)
  interfaces: enp0s26u1u1
  sources: 
  services: 
  ports: 
  masquerade: yes
  forward-ports: 
  icmp-blocks: 
  rich rules: 

home
  interfaces: 
  sources: 
  services: 
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 

internal (default, active)
  interfaces: enp4s0
  sources: 
  services: ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 

public
  interfaces: 
  sources: 
  services: 
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 

trusted
  interfaces: 
  sources: 
  services: 
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 

work
  interfaces: 
  sources: 
  services: 
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 

[root@fabian ~]#

Please save me.

Aas
  • 231
  • 1
  • 2
  • 5

2 Answers2

2

Default zones are stored in this directory:

/usr/lib/firewalld/zones

The following was pulled from after googling firewall-cmd default zones:

[https://www.linode.com/docs/security/firewalls/introduction-to-firewalld-on-centos]

Configuring FirewallD

Firewalld is configured with XML files. Except for very specific configurations, you won’t have to deal with them and firewall-cmd should be used instead.

Configuration files are located in two directories:

/usr/lib/FirewallD holds default configurations like default zones and common services.   Avoid updating them because those files will be overwritten by each firewalld package update.

/etc/firewalld holds system configuration files. These files will overwrite a default configuration.

With that said... I removed a builtin zone named internal from the /usr/lib/FirewallD/zones and reloaded firewalld, and the zone was still there when did --list-all-zones.

So I then removed the internal zone from /etc/firewalld/zones and reloaded the firewall, and the internal is now gone.

Will it come back after a package update, don't know and haven't tried yet.

The Dude
  • 21
  • 3
  • The only file in /etc/firewalld/zones is public.xml. So, nothing to delete. :-( It's CentOS 7. – Aas Mar 17 '17 at 14:29
0

My Debian bullseye system had a file /etc/firewalld/zones/docker.xml, which caused my firewalld to have a zone docker (visible when executing firewall-cmd --list-all-zones).

The only way to get rid of zone docker was by deleting that file:

rm /etc/firewalld/zones/docker.xml
Abdull
  • 665
  • 1
  • 7
  • 13