CompTIA Linux+ XK0-006 (V8) Practice Question

The correct command is firewall-cmd --zone=external --add-masquerade --permanent. Masquerading is a form of SNAT that is used when the external IP address is dynamic. It automatically uses the IP address of the outgoing interface as the source for packets leaving the network. This command permanently adds a masquerade rule to the external zone, which is the correct zone for the public-facing interface. The command --zone=internal --add-masquerade --permanent is incorrect because masquerading should be applied to the external, not internal, zone. The command --zone=external --add-forward-port=port=80:proto=tcp:toaddr=10.0.0.50 is a Destination NAT (DNAT) or port forwarding rule, used to direct incoming traffic to an internal host, not for enabling outbound access for the whole network. The command --zone=internal --add-service=http --permanent simply opens a port on the internal zone's firewall for the HTTP service; it does not perform any address translation.