firewall-cmd

View all available firewall zones and rules in their runtime configuration state

$ firewall-cmd --list-all-zones

$ firewall-cmd --permanent --zone [block] --change-interface [enp1s0]

$ firewall-cmd --permanent --zone [public] --add-service [https]

$ firewall-cmd --permanent --zone [public] --remove-service [http]

$ firewall-cmd --permanent --zone [public] --add-rich-rule 'rule family "[ipv4|ipv6]" forward-port port "[443]" protocol "[udp|tcp]" to-port "[8443]"'

$ firewall-cmd --reload

$ firewall-cmd --runtime-to-permanent

$ firewall-cmd --panic-on

firewall-cmd [OPTIONS...]
Common usage patterns include:
firewall-cmd --state
firewall-cmd [--zone=ZONE] [--permanent] --add-service=SERVICE
firewall-cmd [--zone=ZONE] [--permanent] --add-port=PORT/PROTOCOL
firewall-cmd [--reload]
firewall-cmd [--zone=ZONE] --list-all

--state
    Displays the current status of the firewalld daemon.

--reload
    Reloads the firewall daemon, applying any permanent changes and clearing runtime configurations.

--get-zones
    Lists all available standard zones configured in firewalld.

--get-active-zones
    Shows the zones that currently have active interfaces or source addresses assigned.

--list-all-zones
    Lists all configurations (services, ports, sources, etc.) for all available zones.

--list-all
    Lists all configurations (services, ports, sources, etc.) for the currently active or specified zone.

--permanent
    Makes the changes persistent across reboots. Without this, changes are only applied to the runtime configuration.

--zone=ZONE
    Specifies the firewall zone to operate on. If omitted, the default zone is used.

--add-service=SERVICE
    Adds a predefined service (e.g., http, ssh) to the zone.

--remove-service=SERVICE
    Removes a predefined service from the zone.

--add-port=PORT/PROTOCOL
    Adds a specific port and protocol (e.g., 80/tcp, 443/udp) to the zone.

--remove-port=PORT/PROTOCOL
    Removes a specific port and protocol from the zone.

--add-source=IP[/MASK]
    Adds a source IP address or subnet to the zone, allowing traffic from it.

--remove-source=IP[/MASK]
    Removes a source IP address or subnet from the zone.

--add-interface=INTERFACE
    Assigns a network interface (e.g., eth0) to the zone.

--remove-interface=INTERFACE
    Removes a network interface from the zone.

--query-service=SERVICE
    Checks if a specific service is enabled in the zone.

--query-port=PORT/PROTOCOL
    Checks if a specific port is enabled in the zone.

firewall-cmd is the command-line client for firewalld, a dynamic firewall management daemon on Linux systems. It provides a structured and user-friendly way to configure firewall rules for IPv4 and IPv6, replacing traditional iptables scripting with a more abstract and dynamic approach. firewall-cmd allows administrators to manage firewall zones, services, ports, interfaces, and direct rules. Changes can be applied to the runtime configuration, which takes effect immediately but is lost on reboot, or to the permanent configuration, which persists across reboots but requires a firewalld reload to become active. It simplifies common tasks like opening ports for services, assigning network interfaces to specific zones, and managing network access based on source IP addresses. firewall-cmd is a core tool for network security on distributions like RHEL, Fedora, and CentOS.

Runtime vs. Permanent: Changes made without --permanent are only active until the next reboot or firewalld reload. Always use --permanent for persistent rules, followed by firewall-cmd --reload to apply them immediately.
Default Zone: Be mindful of which zone you are modifying. If --zone is not specified, actions apply to the default zone (often 'public').
Service vs. Port: Prefer using predefined services (e.g., http, ssh) over raw port numbers when possible, as services provide more context and maintainability.
Direct Rules: The --direct option allows adding raw iptables rules. While powerful, this bypasses firewalld's abstraction and should be used with caution, as it can conflict with or be overwritten by firewalld's higher-level rules.

Zones are predefined sets of rules that represent different trust levels for network connections. Common zones include:
- public: For untrusted public networks.
- home: For trusted home networks.
- internal: For internal networks with more trust.
- trusted: For all network connections, allowing all traffic.
Interfaces and source IPs can be assigned to zones, and rules are then applied based on the zone's policy.

Services are predefined configurations that map common application names (like SSH, HTTP, HTTPS, FTP) to their respective port and protocol combinations. Using services simplifies firewall management by allowing rules to be added or removed by service name rather than individual port numbers, making configurations more readable and less error-prone.

firewall-cmd operates on two configuration sets:
- Runtime: Changes apply immediately but are lost when firewalld restarts or the system reboots.
- Permanent: Changes are written to configuration files (e.g., in /etc/firewalld/) and persist across reboots. They do not take effect immediately and require a firewall-cmd --reload to be loaded into the runtime configuration.

firewalld emerged as a significant development in Linux firewall management, primarily introduced and gaining prominence in RHEL/CentOS 7 and Fedora. It aimed to provide a more dynamic and user-friendly alternative to the static and script-heavy iptables configuration. Its core innovation was the introduction of "zones" and "services," allowing administrators to define security policies based on trust levels and common application requirements rather than just raw port numbers and IP addresses. firewall-cmd was developed as the primary command-line interface for firewalld, enabling real-time and persistent configuration changes without complex scripting, greatly simplifying firewall administration for many users and systems.

firewalld(1), iptables(8), ip(8), ss(8)