firewall-cmd
Manage the system firewall (firewalld)
TLDR
View all available firewall zones and rules in their runtime configuration state
Permanently move the interface into the block zone, effectively blocking all communication
Permanently open the port for a service in the specified zone (like port 443 when in the public zone)
Permanently close the port for a service in the specified zone (like port 80 when in the public zone)
Permanently forward a port for incoming packets in the specified zone (like port 443 to 8443 when entering the public zone)
Reload firewalld to lose any runtime changes and force the permanent configuration to take effect immediately
Save the runtime configuration state to the permanent configuration
Enable panic mode in case of Emergency. All traffic is dropped, any active connection will be terminated
SYNOPSIS
firewall-cmd [options] [--zone=<zone>] [<command>]
PARAMETERS
--permanent
Changes persist across restarts/reboots.
--runtime
Apply changes only at runtime (default).
--zone=<zone>
Specify zone (e.g., public, internal).
--add-service=<name>
Add service to zone.
--remove-service=<name>
Remove service from zone.
--add-port=<portid>[/protocol]
Add port (e.g., 80/tcp).
--remove-port=<portid>[/protocol]
Remove port from zone.
--add-source=<IPv4/IPv6>
Add source IP/net to zone.
--remove-source=<IPv4/IPv6>
Remove source IP/net.
--list-all
List all zone rules/interfaces/sources.
--list-services
List services in zone.
--list-ports
List ports in zone.
--get-active-zones
Show active zones and interfaces.
--get-default-zone
Show default zone.
--set-default-zone=<zone>
Set default zone.
--reload
Reload permanent rules to runtime.
--runtime-to-permanent
Make runtime rules permanent.
--state
Check firewalld running status.
--get-zones
List all available zones.
--get-services
List all predefined services.
--add-rich-rule=<rule>
Add complex rich rule.
--panic-on
Enable emergency panic mode.
--panic-off
Disable panic mode.
DESCRIPTION
firewall-cmd is the primary command-line interface for managing firewalld, a dynamic daemon-based firewall frontend for NFTables and iptables in Linux systems like Fedora, RHEL, and CentOS.
It allows administrators to add, remove, and query firewall rules without restarting the service, supporting zones for context-based policies (e.g., public, internal, dmz). Rules can be applied at runtime (temporary, lost on restart) or permanently (persisted across reboots).
Key features include service-based rules (e.g., http, ssh), port/protocol specifications, rich rules for complex logic, and IP set integration. It provides queries for current state, active zones, and services.
Usage emphasizes safety: runtime changes are non-disruptive, and --reload applies permanent changes safely. Ideal for scripted automation and server hardening.
CAVEATS
Runtime changes lost on service restart/reboot unless --permanent used.
Requires firewalld.service active; errors if stopped.
Panic mode drops all traffic.
Not for low-level nft/iptables direct edits.
ZONES CONCEPT
Zones define trust levels (e.g., public: untrusted; home: trusted LAN). Default: public.
Use firewall-cmd --get-active-zones to view.
SERVICES
Predefined XML services (e.g., ssh, http) bundle ports/protocols.
List: firewall-cmd --get-services; add: --add-service=http.
HISTORY
Developed by Thomas Woerner; introduced in Fedora 17 (2012) as iptables replacement. Evolved to support nftables backend since Fedora 33 (2020). Widely adopted in RHEL 7+ for zone-based management.
