Overview
firewalld is the default firewall management tool on RHEL-based distributions (AlmaLinux, Rocky Linux, CentOS Stream) and Fedora. It provides a dynamic, zone-based approach to managing firewall rules without requiring service restarts.
💡 Tip: firewalld comes pre-installed on most RHEL-based systems.
Understanding Zones
firewalld uses zones to define trust levels for network connections. Each zone has predefined rules that determine what traffic is allowed.
public
The default zone for untrusted networks. Only explicitly allowed services pass through.
trusted
All traffic is accepted.
drop
All incoming traffic is dropped silently with no response.
block
Similar to drop, but rejects traffic with an ICMP response.
Checking firewalld Status
Before making changes, verify firewalld is running:
sudo systemctl status firewalldTo start and enable firewalld on boot:
sudo systemctl start firewalld
sudo systemctl enable firewalld✅ Success: Your firewall is now active and will start automatically on boot.
Viewing Current Configuration
Check the active zone and its rules:
sudo firewall-cmd --get-active-zones
sudo firewall-cmd --list-allTo see rules for a specific zone:
sudo firewall-cmd --zone=public --list-allOpening Ports
To allow traffic on a specific port temporarily (until reload or reboot):
sudo firewall-cmd --add-port=8080/tcpTo make the change permanent:
sudo firewall-cmd --permanent --add-port=8080/tcp
sudo firewall-cmd --reloadImportant
After any --permanent changes, always run firewall-cmd --reload to apply them.
Adding Services
firewalld includes predefined services (http, https, ssh, etc.) that simplify rule management:
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reloadTo see all available predefined services:
firewall-cmd --get-services💡 Tip: Using service names instead of port numbers makes your configuration more readable and easier to maintain.
Removing Rules
Remove a port or service using the corresponding --remove flag:
sudo firewall-cmd --permanent --remove-port=8080/tcp
sudo firewall-cmd --permanent --remove-service=http
sudo firewall-cmd --reloadWorking with Zones
Assign an interface to a specific zone:
sudo firewall-cmd --permanent --zone=trusted --change-interface=eth1
sudo firewall-cmd --reloadChange the default zone for new interfaces:
sudo firewall-cmd --set-default-zone=publicAllowing Specific IP Addresses
To allow all traffic from a trusted IP address:
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.100" accept'
sudo firewall-cmd --reloadTo allow a specific IP to access a particular port:
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.100" port port="3306" protocol="tcp" accept'
sudo firewall-cmd --reload✅ Recommended: Restrict database access to specific IP addresses rather than opening ports to everyone.
Port Forwarding
Forward external port 8080 to internal port 80:
sudo firewall-cmd --permanent --add-forward-port=port=8080:proto=tcp:toport=80
sudo firewall-cmd --reloadRuntime vs Permanent Rules
firewalld distinguishes between runtime rules (active immediately but lost on reload) and permanent rules (persist across reloads but require --reload to activate).
A common workflow is to test rules at runtime first, then add them permanently once verified:
# Test the rule
sudo firewall-cmd --add-port=9000/tcp
# If it works as expected, make it permanent
sudo firewall-cmd --runtime-to-permanent💡 Tip: The --runtime-to-permanent command copies all current runtime rules to the permanent configuration.
Quick Reference
firewall-cmd --statefirewall-cmd --list-allfirewall-cmd --permanent --add-port=PORT/tcpfirewall-cmd --permanent --add-service=SERVICEfirewall-cmd --reloadfirewall-cmd --get-services