A
cd ..
Security

Firewalld Advanced Firewall

Manage firewall zones and rules with firewalld on RHEL/CentOS systems.

2025-10-13
firewalld, firewall, security

Start firewalld

sudo systemctl start firewalld

Enable on boot

sudo systemctl enable firewalld

Check status

sudo firewall-cmd --state

List all zones

sudo firewall-cmd --get-zones

Get default zone

sudo firewall-cmd --get-default-zone

Set default zone

sudo firewall-cmd --set-default-zone=public

List active zones

sudo firewall-cmd --get-active-zones

Get zone for interface

sudo firewall-cmd --get-zone-of-interface=eth0

Add interface to zone

sudo firewall-cmd --zone=public --add-interface=eth0

List all in zone

sudo firewall-cmd --zone=public --list-all

Add service

sudo firewall-cmd --zone=public --add-service=http

Add service permanently

sudo firewall-cmd --zone=public --add-service=http --permanent

Remove service

sudo firewall-cmd --zone=public --remove-service=http --permanent

Add port

sudo firewall-cmd --zone=public --add-port=8080/tcp --permanent

Add port range

sudo firewall-cmd --zone=public --add-port=6000-6100/tcp --permanent

Remove port

sudo firewall-cmd --zone=public --remove-port=8080/tcp --permanent

List services

sudo firewall-cmd --zone=public --list-services

List ports

sudo firewall-cmd --zone=public --list-ports

List available services

sudo firewall-cmd --get-services

Add rich rule

sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" accept' --permanent

Block IP

sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.100" reject' --permanent

Allow IP to specific port

sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.100" port port="22" protocol="tcp" accept' --permanent

List rich rules

sudo firewall-cmd --zone=public --list-rich-rules

Remove rich rule

sudo firewall-cmd --zone=public --remove-rich-rule='rule ...' --permanent

Reload firewall

sudo firewall-cmd --reload

Complete reload (drops connections)

sudo firewall-cmd --complete-reload

Enable masquerading (NAT)

sudo firewall-cmd --zone=public --add-masquerade --permanent

Port forwarding

sudo firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toport=8080 --permanent

Forward to different IP

sudo firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toaddr=192.168.1.100:toport=80 --permanent

Create new zone

sudo firewall-cmd --permanent --new-zone=myzone

Delete zone

sudo firewall-cmd --permanent --delete-zone=myzone

Add source to zone

sudo firewall-cmd --zone=trusted --add-source=192.168.1.0/24 --permanent

Remove source

sudo firewall-cmd --zone=trusted --remove-source=192.168.1.0/24 --permanent

Panic mode (block all)

sudo firewall-cmd --panic-on

Disable panic mode

sudo firewall-cmd --panic-off

Check panic mode

sudo firewall-cmd --query-panic

Runtime vs permanent

# Runtime (lost on reload)
sudo firewall-cmd --add-service=http

# Permanent (saved to config)
sudo firewall-cmd --add-service=http --permanent
sudo firewall-cmd --reload

Direct rules (iptables)

sudo firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 9000 -j ACCEPT

Lockdown mode

sudo firewall-cmd --lockdown-on

Was this useful?

Share with your team

Browse More