LinuxCommandLibrary

firewalld

Manage Linux firewall rules

SYNOPSIS

firewalld [options]

PARAMETERS

--version
    Print version information and exit

-h, --help
    Print help and exit

--debug[=LEVEL]
    Enable debug messages; LEVEL 1-10 (default 1)

--nofork
    Run in foreground; do not fork daemon

--nopid
    Do not create PID file

--noreload
    Skip firewall reload after config read

--read-xml-dir=PATH
    Additional dir for XML config files

--user-config-dir=PATH
    User config directory override

--sysconfdir=PATH
    System config directory (/etc/firewalld)

DESCRIPTION

firewalld is a complete firewall solution that can be managed dynamically via its D-Bus interface or the firewall-cmd frontend. It introduces the concept of zones to define the trust level of network connections or interfaces, allowing different rules for different networks like public, internal, or trusted.

Unlike traditional iptables, firewalld maintains a runtime and permanent state. Changes made via firewall-cmd are applied immediately to the runtime configuration and can be made permanent. It supports services (predefined rule sets for common protocols like HTTP, SSH) and direct rules for custom iptables/nftables chains.

The daemon uses backends like nftables (default in modern versions) or iptables. It runs as a systemd service, reading XML configuration files from /usr/lib/firewalld and /etc/firewalld. firewalld handles ipsets, rich rules, and masquerading seamlessly.

Primarily used in Fedora, RHEL/CentOS 7+, and derivatives, it simplifies firewall management for servers and desktops without requiring service restarts.

CAVEATS

Direct invocation bypasses systemd; use systemctl for production. Conflicts with direct iptables/nft rules. Not for minimal systems.

ZONES

Predefined: public (default), internal, home, work, trusted, drop, block. Assign interfaces/sources to zones for rule separation.
Use firewall-cmd --list-zones.

SERVICES

XML-defined groups like ssh, http. Add via firewall-cmd --add-service=ssh.
Custom services in /usr/lib/firewalld/services/.

HISTORY

Developed by Thomas Woerner; introduced in Fedora 15 (2011). Replaced direct iptables in Fedora 17, RHEL 7 (2014). Switched to nftables backend in Fedora 32 (2020). Widely adopted in enterprise Linux.

SEE ALSO

firewall-cmd(1), iptables(8), nft(8), systemctl(1)

Copied to clipboard