- Firewalld provides a dynamically managed firewall with support for network/firewall zones that define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings, ethernet bridges and IP sets. There is a separation of runtime and permanent configuration options. It also provides an interface for services or applications to add firewall rules directly.
- 1 Installation
- 2 Usage
- 3 Configuration
- 4 Tips and tricks
- 5 See also
Install the package.
You can control the firewall rules with the
firewall-cmd console utility.
firewall-offline-cmd utility can be used to configure when firewalld is not running. It features similar syntax to
GUI is available as
firewall-config which comes with package.
Configuration at run time can be changed using
--permanentoption. This will not change run-time configuration until the firewall service is restarted or rules are reloaded with
- Change the run-time configuration and make it permanent as described in #Converting run-time configuration to permanent
Zone is a collection of rules that can be applied to a specific interface.
To have an overview of the current zones and interfaces they are applied to:
# firewall-cmd --get-active-zones
Some commands (such as adding/removing ports/services) require a zone to specified.
Zone can be specified by name by passing
If no zone is specified default zone is assumed.
You can list all the zones with entirety their configuration:
# firewall-cmd --list-all-zones
or just a specific zone
# firewall-cmd --info-zone=zone_name
Changing zone of an interface
# firewall-cmd --zone=zone --change-interface=interface_name
zone is a new zone that you want to assign interface to.
Using NetworkManager to manage zones
NetworkManager can assign different connection profiles to different zones. This allows for example, adding a home WiFi connection to the "home" zone, a work WiFi connection to the "work" zone, and all other WiFi connections to the default "public" zone.
List connection profiles:
$ nmcli connection show
Assign the "myssid" profile to the "home" zone:
$ nmcli connection modify myssid connection.zone home
When a new interface is connected the default zone will be applied. You can query the name of the default zone using:
# firewall-cmd --get-default-zone
The default zone can be changed using following command.
# firewall-cmd --set-default-zone=zone
Services are pre-made rules corresponding to a specific daemon. For example,
ssh service corresponds to SSH and opens ports 22 when assigned to a zone.
To get a list of available services enter following command:
# firewall-cmd --get-services
You can query information about particular service:
# firewall-cmd --info-service service_name
Adding or removing services from a zone
To add a service to a zone:
# firewall-cmd --zone=zone_name --add-service service_name
# firewall-cmd --zone=zone_name --remove-service service_name
Ports can be directly opened on a specific zone.
# firewall-cmd --zone=zone_name --add-port port_num/protocol
protocol is either
To close the port use
--remove-port option with same port number and protocol.
This command has the same effect as
iptables -t nat -A POSTROUTING -j MASQUERADE:
# firewall-cmd --zone=public --add-masquerade
Tips and tricks
Port or service timeout
Service or port can be added for a limited amount of time using
--timeout=value option passed during addition command. Value is either number of seconds, minutes if postfixed with
m or hours
For example, adding SSH service for 3 hours:
# firewall-cmd --add-service ssh --timeout=3h
Converting run-time configuration to permanent
You can make current temporary configuration permanent (meaning it persists through restarts)
# firewall-cmd --runtime-to-permanent
Check services details
The configuration files for the default supported services are located at
/usr/lib/firewalld/services/ and user-created service files would be in