firewalld — Dynamic Firewall Management on Linux
Practical guide to firewalld — zones, services, ports and rich rules with firewall-cmd, runtime and permanent rules on RHEL, Fedora and CentOS.
firewalld is the dynamic firewall daemon of RHEL, Fedora and CentOS, driven from the command line with firewall-cmd. Under the hood it builds on nftables (formerly iptables) and organises rules into zones – trust levels such as public or trusted that you assign interfaces, services and ports to. The crucial distinction is between runtime and permanent: changes without --permanent apply instantly but are lost on --reload or a reboot. This guide walks you through the commands you reach for daily, from zone status through services and ports to rich rules and NAT.
Status & Zones
firewall-cmd --state — Check if firewalld is running.
firewall-cmd --statefirewall-cmd --get-active-zones — Show active zones and their interfaces.
firewall-cmd --get-active-zonesfirewall-cmd --get-default-zone — Show the default zone.
firewall-cmd --get-default-zonefirewall-cmd --set-default-zone=<zone> — Change the default zone. It affects every interface without an explicit zone, so check the current default before switching.
firewall-cmd --set-default-zone=publicfirewall-cmd --list-all — List all settings for the default zone.
firewall-cmd --list-allfirewall-cmd --zone=<zone> --list-all — List all settings for a specific zone.
firewall-cmd --zone=public --list-allfirewall-cmd --get-zones — List all available zones.
firewall-cmd --get-zonesServices
firewall-cmd --add-service=<service> — Allow a service. Runtime only: lost on --reload or reboot. Use the trusted zone and broad --add-service rules sparingly.
firewall-cmd --add-service=httpfirewall-cmd --add-service=<service> --permanent — Allow a service permanently.
firewall-cmd --add-service=https --permanentfirewall-cmd --remove-service=<service> --permanent — Remove a service permanently.
firewall-cmd --remove-service=ftp --permanentfirewall-cmd --list-services — List currently allowed services.
firewall-cmd --list-servicesfirewall-cmd --get-services — List all available predefined services.
firewall-cmd --get-servicesfirewall-cmd --info-service=<service> — Show details about a service (ports, protocols).
firewall-cmd --info-service=sshPorts
firewall-cmd --add-port=<port>/<proto> --permanent — Open a port permanently.
firewall-cmd --add-port=8080/tcp --permanentfirewall-cmd --add-port=<start>-<end>/<proto> --permanent — Open a range of ports permanently.
firewall-cmd --add-port=3000-3100/tcp --permanentfirewall-cmd --remove-port=<port>/<proto> --permanent — Close a port permanently.
firewall-cmd --remove-port=8080/tcp --permanentfirewall-cmd --list-ports — List all open ports.
firewall-cmd --list-portsRich Rules
firewall-cmd --add-rich-rule='rule family=ipv4 source address=<ip> accept' --permanent — Allow all traffic from a specific IP.
firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.0.0.5 accept' --permanentfirewall-cmd --add-rich-rule='rule family=ipv4 source address=<ip> drop' --permanent — Block all traffic from a specific IP.
firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.1.100 drop' --permanentfirewall-cmd --add-rich-rule='rule family=ipv4 source address=<ip> port port=<port> protocol=tcp accept' --permanent — Allow a specific IP to access a port.
firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.0.0.0/24 port port=3306 protocol=tcp accept' --permanentfirewall-cmd --list-rich-rules — List all rich rules.
firewall-cmd --list-rich-rulesfirewall-cmd --remove-rich-rule='<rule>' --permanent — Remove a rich rule.
firewall-cmd --remove-rich-rule='rule family=ipv4 source address=10.0.0.5 accept' --permanentMasquerade & Forwarding
firewall-cmd --add-masquerade --permanent — Enable masquerading (NAT).
firewall-cmd --add-masquerade --permanentfirewall-cmd --add-forward-port=port=<src>:proto=tcp:toport=<dest> --permanent — Forward a local port to another local port.
firewall-cmd --add-forward-port=port=80:proto=tcp:toport=8080 --permanentfirewall-cmd --add-forward-port=port=<src>:proto=tcp:toaddr=<ip>:toport=<dest> --permanent — Forward a port to a remote host.
firewall-cmd --add-forward-port=port=80:proto=tcp:toaddr=192.168.1.10:toport=8080 --permanentfirewall-cmd --query-masquerade — Check if masquerading is enabled.
firewall-cmd --query-masqueradeRuntime vs. Permanent
firewall-cmd --reload — Reload the firewall to apply permanent changes. Unsaved runtime changes are dropped in the process – to make a rule stick, combine --permanent with a following --reload.
firewall-cmd --reloadfirewall-cmd --runtime-to-permanent — Save current runtime rules as permanent.
firewall-cmd --runtime-to-permanentfirewall-cmd --panic-on — Enable panic mode (block all traffic). Cuts existing connections immediately – on a remote server this locks out your own SSH session.
firewall-cmd --panic-onfirewall-cmd --panic-off — Disable panic mode.
firewall-cmd --panic-offfirewall-cmd --complete-reload — Complete reload that drops all runtime rules.
firewall-cmd --complete-reloadConclusion
firewalld hides the nftables syntax and turns firewall management into a game of zones, services and ports. The most common pitfall remains the difference between runtime and permanent: feel free to test a rule at runtime first, but commit it with --permanent and reload the firewall once it works – otherwise it is gone after the next reboot.
Further Reading
- firewalld – official documentation – concepts, zones and examples
- firewall-cmd(1) – manual page – every option at a glance
- firewalld – Wikipedia – background and history