firewall-cmd: Practical Guide for Firewall Management
firewall-cmd: Practical Guide for Firewall Management
A practical, example-first tour of the firewalld command-line client. Learn how to view, modify, and apply firewall rules both in runtime and permanently.
Quick-start: what you can do with firewall-cmd
- View current (runtime) firewall state:
firewall-cmd --list-all-zones- Permanently move an interface into a zone (block all traffic in that zone):
firewall-cmd --permanent --zone=block --change-interface=enp1s0- Permanently open a service/port in a zone (e.g., HTTPS in public):
firewall-cmd --permanent --zone=public --add-service=https- Permanently close a service/port in a zone (e.g., HTTP in public):
firewall-cmd --permanent --zone=public --remove-service=http- Permanently forward a port in a zone (e.g., forward 443 to 8443 in public):
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" forward-port port="443" protocol="tcp" to-port="8443"'- Apply permanent changes to the running system (reload):
firewall-cmd --reload- Persist current runtime changes to permanent configuration:
firewall-cmd --runtime-to-permanent- Panic mode: drop all traffic immediately (emergency):
firewall-cmd --panic-onQuick note: the —permanent flag writes to the permanent configuration. Changes without —permanent affect only the currently running firewall (runtime). You typically need to run —reload to apply permanent changes to the running state.
Viewing and understanding zones
- Zone concept: a classification for interfaces and their allowed services.
- Common zones: public, trusted, block, dmz.
- Show all runtime zones and their rules:
firewall-cmd --list-all-zonesCommon pitfall: confusing runtime vs permanent state. If you only use —permanent, you must run —reload or —runtime-to-permanent to see the changes in the active session.
Typical workflows
1) Allow HTTPS in the public zone (permanent)
- Why: web server accessible from the internet.
- Steps:
firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --reload2) Block an interface (permanent)
- Example: isolate an unreliable interface.
firewall-cmd --permanent --zone=block --change-interface=eth1
firewall-cmd --reload3) Forward a port (permanent)
- Example: forward port 443 to 8443 on the same host.
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" forward-port port="443" protocol="tcp" to-port="8443"'
firewall-cmd --reload4) Emergency shutdown (panic)
- If you need to drop all traffic immediately:
firewall-cmd --panic-onNote: Panic mode is a last-resort action and should be followed by controlled restoration of access.
Common pitfalls and how to avoid them
- Pitfall: assuming runtime changes persist automatically. Always use —runtime-to-permanent or —reload after permanent edits.
- Fix: after making permanent changes, run firewall-cmd —reload to apply them to the running firewall.
- Pitfall: not running with elevated privileges. Some systems require sudo.
- Fix: prefix commands with sudo if needed, e.g., sudo firewall-cmd —reload.
- Pitfall: misnaming zones or services. A typo can leave ports unexpectedly open or closed.
- Fix: list zones and services first with firewall-cmd —list-all-zones, and double-check names.
- Pitfall: complex rich rules. Errors in the quotes or syntax can break the rule.
- Fix: copy-paste from reliable sources and test with a non-critical service first.
Quick reference cheatsheet
- List all zones and their runtime state:
firewall-cmd --list-all-zones- Add a service permanently to a zone:
firewall-cmd --permanent --zone=public --add-service=https- Remove a service permanently from a zone:
firewall-cmd --permanent --zone=public --remove-service=http- Apply changes from permanent to runtime:
firewall-cmd --reload- Save current runtime to permanent configuration (safe-guard):
firewall-cmd --runtime-to-permanent- Enable emergency panic mode:
firewall-cmd --panic-onWhen to consult the docs
- If you need advanced traffic shaping or forward rules, refer to the official docs and man pages:
- man firewall-cmd
- https://firewalld.org/documentation/man-pages/firewall-cmd.html
By starting with concrete examples and testing in a safe environment, you can confidently manage your Linux firewall with firewall-cmd while avoiding common misconfigurations.