Learn Firewalld: Manage Linux Firewall with firewall-cmd
Master Linux firewalld with our tutorial series. Learn firewall basics, open ports, list rules, enable logs, and manage firewall with firewall-cmd.
What is firewalld?
Firewalld is an open source firewall management tool that acts as a front-end tool for the Linux kernel's netfilter framework. It is a zone-based firewall system that allows for the different security configuration levels for different connection zones. While Ubuntu and Debian rely on ufw for the firewall function, firewalld is shipped by default in Fedora, CentOS, openSUSE and Red Hat.
Why use firewalld?
- Easier management: No need to remember complex iptables or nftables syntax.
- Dynamic updates: Change rules without downtime.
- Predefined services: Quickly allow/deny SSH, HTTP, HTTPS, etc.
- Widespread adoption: Default firewall in RHEL, CentOS, Fedora, openSUSE, and more.
📖 Get familiar with firewalld terms quickly
Before jumping into commands, let’s look at a few important terms you’ll encounter again and again:
- Zones: A zone represents a trust level for a network connection. For example,
public(least trusted),home(medium),trusted(all allowed). Each network interface can be assigned to a zone. - Services: Firewalld comes with predefined services like
ssh,http,https. Enabling a service automatically opens the required port(s). - Ports: You can directly allow or deny specific ports (like
80/tcpfor HTTP) if you don’t want to rely on service definitions. - Runtime vs Permanent:
- Runtime rules: Take effect immediately but are lost after reboot/reload.
- Permanent rules: Persist across reboots but require a reload to apply.
- Backends: Firewalld uses
nftables(modern Linux) oriptables(older Linux) under the hood, so you don’t have to.
Manage firewalld with firewall-cmd commands
You use firewalld with a dedicated firewall-cmd command line tool.
| Command | Description |
|---|---|
sudo firewall-cmd --state |
Check if firewalld is running |
sudo systemctl restart firewalld |
Restart the firewall service |
sudo firewall-cmd --reload |
Reload rules without stopping service |
sudo firewall-cmd --get-active-zones |
Show active zones and interfaces |
sudo firewall-cmd --get-default-zone |
Show the default zone |
sudo firewall-cmd --list-all |
List all rules in the default zone |
sudo firewall-cmd --add-service=ssh --permanent |
Allow SSH permanently |
sudo firewall-cmd --remove-service=ssh --permanent |
Remove SSH access permanently |
sudo firewall-cmd --add-port=8080/tcp --permanent |
Open TCP port 8080 permanently |
sudo firewall-cmd --remove-port=8080/tcp --permanent |
Close TCP port 8080 |
sudo firewall-cmd --list-services |
List allowed services in current zone |
sudo firewall-cmd --set-log-denied=all |
Enable logging of denied packets |
We have a one page guide on firewall-cmd command that shows these examples in a better way.
LHB Community
Start using firewalld
This is a collection of quick tutorials that teaches you various ways of using the firewalld firewall system. Look at the left sidebar and quickly access these tutorials.
- Enable, disable & restart firewalld: How to control the firewall service efficiently.
- Checking firewalld status: Learn to verify your firewall’s operational state.
- Opening ports in firewalld: Step-by-step guide to allowing specific applications.
- Listing firewalld rules: Easily view active rules and zone assignments.
- Enabling logging with firewalld: Monitor dropped traffic and troubleshoot effectively.
The collection will be updated continually with more tutorials in the future.
About the author
Abhishek Prakash
Creator of Linux Handbook and It's FOSS. An ardent Linux user who has new-found love for self-hosting, homelabs and local AI.