firewall-cmd
Manage the system firewall (firewalld)
TLDR
View all available firewall zones and rules in their runtime configuration state
Permanently move the interface into the block zone, effectively blocking all communication
Permanently open the port for a service in the specified zone (like port 443 when in the public zone)
Permanently close the port for a service in the specified zone (like port 80 when in the public zone)
Permanently forward a port for incoming packets in the specified zone (like port 443 to 8443 when entering the public zone)
Reload firewalld to lose any runtime changes and force the permanent configuration to take effect immediately
Save the runtime configuration state to the permanent configuration
Enable panic mode in case of Emergency. All traffic is dropped, any active connection will be terminated
SYNOPSIS
firewall-cmd [OPTIONS...]
Common usage patterns include:
firewall-cmd --state
firewall-cmd [--zone=ZONE] [--permanent] --add-service=SERVICE
firewall-cmd [--zone=ZONE] [--permanent] --add-port=PORT/PROTOCOL
firewall-cmd [--reload]
firewall-cmd [--zone=ZONE] --list-all
PARAMETERS
--state
Displays the current status of the firewalld daemon.
--reload
Reloads the firewall daemon, applying any permanent changes and clearing runtime configurations.
--get-zones
Lists all available standard zones configured in firewalld.
--get-active-zones
Shows the zones that currently have active interfaces or source addresses assigned.
--list-all-zones
Lists all configurations (services, ports, sources, etc.) for all available zones.
--list-all
Lists all configurations (services, ports, sources, etc.) for the currently active or specified zone.
--permanent
Makes the changes persistent across reboots. Without this, changes are only applied to the runtime configuration.
--zone=ZONE
Specifies the firewall zone to operate on. If omitted, the default zone is used.
--add-service=SERVICE
Adds a predefined service (e.g., http, ssh) to the zone.
--remove-service=SERVICE
Removes a predefined service from the zone.
--add-port=PORT/PROTOCOL
Adds a specific port and protocol (e.g., 80/tcp, 443/udp) to the zone.
--remove-port=PORT/PROTOCOL
Removes a specific port and protocol from the zone.
--add-source=IP[/MASK]
Adds a source IP address or subnet to the zone, allowing traffic from it.
--remove-source=IP[/MASK]
Removes a source IP address or subnet from the zone.
--add-interface=INTERFACE
Assigns a network interface (e.g., eth0) to the zone.
--remove-interface=INTERFACE
Removes a network interface from the zone.
--query-service=SERVICE
Checks if a specific service is enabled in the zone.
--query-port=PORT/PROTOCOL
Checks if a specific port is enabled in the zone.
DESCRIPTION
firewall-cmd is the command-line client for firewalld, a dynamic firewall management daemon on Linux systems. It provides a structured and user-friendly way to configure firewall rules for IPv4 and IPv6, replacing traditional iptables scripting with a more abstract and dynamic approach. firewall-cmd allows administrators to manage firewall zones, services, ports, interfaces, and direct rules. Changes can be applied to the runtime configuration, which takes effect immediately but is lost on reboot, or to the permanent configuration, which persists across reboots but requires a firewalld reload to become active. It simplifies common tasks like opening ports for services, assigning network interfaces to specific zones, and managing network access based on source IP addresses. firewall-cmd is a core tool for network security on distributions like RHEL, Fedora, and CentOS.
CAVEATS
Runtime vs. Permanent: Changes made without --permanent are only active until the next reboot or firewalld reload. Always use --permanent for persistent rules, followed by firewall-cmd --reload to apply them immediately.
Default Zone: Be mindful of which zone you are modifying. If --zone is not specified, actions apply to the default zone (often 'public').
Service vs. Port: Prefer using predefined services (e.g., http, ssh) over raw port numbers when possible, as services provide more context and maintainability.
Direct Rules: The --direct option allows adding raw iptables rules. While powerful, this bypasses firewalld's abstraction and should be used with caution, as it can conflict with or be overwritten by firewalld's higher-level rules.
ZONES CONCEPT
Zones are predefined sets of rules that represent different trust levels for network connections. Common zones include:
- public: For untrusted public networks.
- home: For trusted home networks.
- internal: For internal networks with more trust.
- trusted: For all network connections, allowing all traffic.
Interfaces and source IPs can be assigned to zones, and rules are then applied based on the zone's policy.
SERVICES
Services are predefined configurations that map common application names (like SSH, HTTP, HTTPS, FTP) to their respective port and protocol combinations. Using services simplifies firewall management by allowing rules to be added or removed by service name rather than individual port numbers, making configurations more readable and less error-prone.
RUNTIME VS. PERMANENT CONFIGURATION
firewall-cmd operates on two configuration sets:
- Runtime: Changes apply immediately but are lost when firewalld restarts or the system reboots.
- Permanent: Changes are written to configuration files (e.g., in /etc/firewalld/) and persist across reboots. They do not take effect immediately and require a firewall-cmd --reload to be loaded into the runtime configuration.
HISTORY
firewalld emerged as a significant development in Linux firewall management, primarily introduced and gaining prominence in RHEL/CentOS 7 and Fedora. It aimed to provide a more dynamic and user-friendly alternative to the static and script-heavy iptables configuration. Its core innovation was the introduction of "zones" and "services," allowing administrators to define security policies based on trust levels and common application requirements rather than just raw port numbers and IP addresses. firewall-cmd was developed as the primary command-line interface for firewalld, enabling real-time and persistent configuration changes without complex scripting, greatly simplifying firewall administration for many users and systems.