On Wed, Jan 29, 2020 at 07:29:10PM -0000, Mihail Pol wrote:
Hello team!
Documentation say
https://firewalld.org/documentation/zone/options.html that firewalld
zone has option "target" with possible values:
ACCEPT|%%REJECT%%|DROP
The ACCEPT target is used in trusted zone to accept every packet not matching any rule.
The %%REJECT%% target is used in block zone to reject (with default firewalld reject
type) every packet not matching any rule.
The DROP target is used in drop zone to drop every packet not matching any rule.
But firewall-cmd --list-all-zones give me a option "default" for target for
some zones. What target "default" mean?
In most cases "default" can be thought equivalent to %%REJECT%%. That
being said there are a couple scenarios where it behaves differently.
1) source-based zone fall-though/drift to interface-based zones
- This is known as "zone drifting"
- If a packet ingress (INPUT) a source-based zone, it may still enter
an interface-based zone (including the default zone)
2) For FORWARD traffic, packets that ingress a zone with a "default"
target will be allowed based on the target of the egress zone.
A forwarded packet that ingresses zoneA and egresses zoneB.
- if zoneA target is "ACCEPT", "DROP", or "%%REJECT%%"
the packet
accepted, dropped, or rejected repectively.
- if zoneA target is "default", then the packet is
accepted/dropped/rejected based on zoneB's target.
Hope the above helps.
Eric.