firewalld change default target

Question

From firewalld man page:

–permanent [–zone=zone] --set-target=target Set the target of a permanent zone. target is one of: default, ACCEPT, DROP, REJECT

The default target is REJECT. Is it possible to change the default target to DROP? If not, why does a default option exist if it is always REJECT?

I am using CentOS 7.4

I understand that I can configure firewalld any way I'd like without being able to change the default target, but I'd like to know how to change it if possible.

The accepted answer does address my questions as I had intended it which was essentially "Is it possible to redefine the the default target to DROP." — oO.o, Feb 18 '21 at 16:12
I’m voting to close this question because it belongs to [Unix & Linux](https://unix.stackexchange.com/). — stackprotector, Feb 24 '22 at 13:22

sjas · Answer 1 · 2023-01-09T16:41:17.787

On firewalld(1) and its targets as of 2020:

possible POLICY TARGETS (for traffic from one specific zone to another)
- CONTINUE
- ACCEPT
- DROP
- REJECT
- policies are only in firewalld>=0.9.0
possible ZONE TARGETS (for traffic entering/leaving zones, where the predefined target named "DEFAULT" can actually be used)
- DEFAULT
- ACCEPT
- DROP
- REJECT
TARGET: "DEFAULT"
- REJECT
- allow ICMP
- if ingress zone is default, forwardings will follow egress zone target
- zone drifting may be applied depending on global setting

The target in a zone is the destination target packets will be sent to if no other zone rules match, and can be

ACCEPT
DROP
REJECT
or be... DEFAULT

"DEFAULT" is basically a simple REJECT plus other sane things for a more sensible default setting, its name choice is somewhat unlucky.

The accepted answer is somewhat misleading as it talks about redefining the target "DEFAULT".

However the question should rather aim at wether setting a different default target in a zone is possible, which it perfectly is:

firewall-cmd --permanent --zone=YOUR_ZONE_HERE --set-target=ACCEPT
firewall-cmd --reload

#some different oneliners to verify your config
#1.
(firewall-cmd --list-all;for i in $(firewall-cmd --get-active-zones|grep -v "^\s");do firewall-cmd --list-all --zone=$i;done)|grep -v ':\s*$'
#2.
fwstatus() { _fwstate=$(firewall-cmd --state 2>&1);printf "FIREWALLD=%s\n" "${_fwstate}";[[ "not running" == ${_fwstate} ]]&&return;_panicstate=$(firewall-cmd --query-panic);if [[ "on" == "${_panicstate}" ]];then printf "\e[41;1m";else printf "\e[32;1m";fi;printf "PANIC MODE=%s\e[m\n" "${_panicstate}";printf "LOCKDOWN=%s\n\n" "$(firewall-cmd --query-lockdown)";_defaultzone=$(firewall-cmd --get-default-zone);firewall-cmd --list-all-zones|sed 's/^'"$_defaultzone"'/& (default)/'|sed -n '/^'"$_defaultzone"'\|active/,/^$/p'|grep -v -e ':\s*$' -e icmp-block-inversion|awk 'NF>0'|grep --color -e$ -e^\\w.\\+;}&&fwstatus  ## show full firewalling state,only works when firewalld is running
#3.
firewall-cmd --zone=YOUR_ZONE_HERE --list-all

score 1 · Accepted Answer · answered Oct 30 '17 at 19:55

It is not possible to change the default target - it's hardcoded. It's possible "default" was included so we could potentially introduce a "--set-default-target" option in the future, but I'm just speculating.

https://github.com/firewalld/firewalld/issues/252

firewalld change default target

2 Answers2