How to Configure Firewalld in Linux
The firewalld service protects the system from unauthorized access. It utilizes various configuration files, known as zone files, to define access rules for services and ports. Access rules are also called firewall rules. Firewall rules, based on their configuration, allow or deny access requests. This tutorial explains how to configure and manage the firewalld service, add interfaces to zones, as well as create, verify, and remove zone files, services, and ports to meet various security requirements.
Managing the firewalld service
The firewalld service is part of the default system services. The systemctl command controls default services. It supports various options to manage default services. The following command shows the current status of the firewalld service.
#systemctl status firewalld
The following command stops the firewall service in the running session.
#systemctl stop firewalld
The following command starts the firewall service in the running session.
#systemctl start firewalld
The boot process checks the boot time status of all services and, based on it, enables or disables them. The following command changes the boot time status to disable.
#systemctl disable firewalld
The following command changes the boot time status to enable.
#systemctl enable firewalld
Exercises, configurations, and firewall management steps explained in this tutorial depend on the firewalld service. It must be running with the boot time enable status.
Managing Firewalld configuration
The following are three ways to manage the firewalld service:-
- Directly editing configuration files.
- Using the graphical tool firewall-config
- Using the command line tool firewall-cmd
Like other services, the firewalld service also saves its configuration in configuration files. You can edit or update these files directly using any text editor. However, to do this, you must identify the path of all configuration files and the configurations they contain. It makes managing the service complex. To make management easier, the firewalld service provides a graphical tool and a command-line utility.
The second option requires the graphical environment (X-Window). It is easy to use, and if available, you should always use it. The only problem with this option is that it depends on the graphical environment, which is very rare on Linux servers in a production environment. Due to security reasons, administrators rarely enable the graphical environment on server systems.
The third option is versatile. It is available on all platforms and can perform all tasks. It allows you to manage all features and functions of the firewalld service. This tutorial primarily focuses on this option.
Running configuration Vs Startup configuration
Firewalld service uses two types of configuration: running configuration and startup configuration. It saves the startup configuration in configuration files and the running configuration in RAM. When the firewalld service starts, it reads the startup configuration from configuration files and loads it into memory, where it is known as the running configuration. Unless you make any changes in the running configuration, it is the same as the startup configuration. Any changes made to the running configuration are lost when you restart the system or reload the service. Similarly, any changes in the startup configuration apply only when you reload the service or restart the system.
Let us take an example.
Firewalld service starts and reads the startup configuration. The startup configuration contains a rule that blocks the SSH service for the network 192.168.1.0/24. Firewalld service loads this configuration in RAM as a running configuration. At this point, no host from network 192.168.1.0/24 can access the SSH service. Suppose you want to allow a host from this network temporarily. For this, you can either modify the firewall rule that blocks this network or add an allow rule for the specific host in the running configuration. This change will enable the host to access the SSH service until the firewalld service or the system restarts. If you want to make this change permanent, add it to the startup configuration. Any change in the startup configuration does not apply to the running configuration. You must reload the firewall rules or restart the firewalld service to implement this change.
The following command reloads the firewall rules without interrupting existing persistent connections.
#firewall-cmd --reload
The following command restarts the firewalld service.
#systemctl restart firewalld
Managing zones
Zones are the primary key element of the firewalld service. The firewall-cmd command supports various options for zone management. The following table lists essential options.
| Option | Description |
| --get-zones | Display all available zones |
| --get-default-zone | Display the current default zone |
| --get-active-zones | Display all active zones |
| --list-all | Display all configuration from the default zone |
| --list-all-zones | Display configuration from all zones |
| --set-default-zone | Set the specified Zone as the default zone |
| --new-zone | Add a new zone |
| --delete-zone | Delete a zone |
| --permanent | Save changes in the startup configuration. |
Listing zones
The following command lists all available zones.
#firewall-cmd --get-zones
Use the following command to view the default zone.
#firewall-cmd --get-default-zone
Listing zone configurations
The following command shows the configuration from the default zone.
#firewall-cmd --list-all
To view the configuration from all zones, use the following command.
#firewall-cmd --list-all-zone
Creating and verifying a new zone
The --new-zone option creates the specified zone. It needs the new zone name as the argument. Add a new zone, called test.
#firewall-cmd --get-zones #firewall-cmd --new-zone test
A zone saves configuration and firewall rules. The firewalld service adds new zones in the startup configuration. Since it places new zones in the startup configuration, you must specify the --permanent option with the above command. If not, it returns an error indicating the action needs the --permanent option. Use the --permanent option to add the zone.
#firewall-cmd --new-zone test --permanent
Any change made in the startup configuration does not apply to the running configuration. To verify this, you can recheck the available zones.
#firewall-cmd --get-zones
Reload the firewall configuration and list all zones again.
#firewall-cmd --reload #firewall-cmd --get-zones
Changing the default zone
The --set-default-zone option changes the default zone to the specified zone. For example, the following command sets the default zone to test.
#firewall-cmd --set-default-zone test
To verify the change, recheck the default zone.
#firewall-cmd --get-default-zone
Adding/assigning an interface to the zone
The firewalld service can filter traffic based on the interfaces. For example, a system has two interfaces. The first connects it to the private network while the second attaches it to a public network. You can allow traffic on the first interface while filtering it on the second interface. For this, you need to attach interfaces to zones. If the system has only one interface, firewalld automatically attaches it to the default zone. The 'ip addr show' command lists all attached interfaces.
#ip addr show
You can verify it by listing the configurations of the default zone file.
#firewall-cmd --list-all
Firewalld associates the default interface with the default zone at startup. If the system has a single interface, it always selects the same interface as the default interface. However, if it has multiple interfaces, it may choose another interface. Similarly, if you change the default zone, it automatically attaches the default interface to the new default zone. To verify this, use the following steps.
- List the configuration of the default zone.
- Note down the attached interface.
- Change the default zone and list its configuration.
- List the previous default zone configuration.
- Verify that it removes the interface from the previous zone and attaches it to the new default zone.
- Change the default zone back to the original zone.
#firewall-cmd --get-default-zone #firewall-cmd --list-all #firewall-cmd --set-default-zone public #firewall-cmd --list-all #firewall-cmd --list-all-zones #firewall-cmd --set-default-zone test #firewall-cmd --get-default-zone
To attach an interface to a specific zone, use the following command.
#firewall-cmd --add-interface [InterfaceName] --zone [ZoneName] --permanent
The following command adds the ens160 interface to the test zone.
#firewall-cmd --add-interface ens160 --zone test --permanent
If there is only one interface, the firewalld will always attach it to the default zone.
Adding and managing source addresses
Just like an interface, you can also associate a network address with a zone. The following command adds network 192.168.1.0/24 to the test zone in the running configuration.
#firewall-cmd --add-source 192.168.1.0/24 --zone test
To add it permanently, use the -permanent option with it.
#firewall-cmd --add-source 192.168.1.0/24 --zone test --permanent
If you use the --permanent option, the change requires a service reload to take effect.
Managing services
Services are the secondary key element in firewalld. The following table lists essential options to manage the services.
| Option | Description |
| --get-services | Display all available services |
| --list-services | Display all services from the default zone |
| --list-services --zone [ZoneName] | Display all services from the specified zone. |
| --new-service [NewServiceName] --permanent | Create a new service with the specified name |
| --delete-service [ServiceName] --permanent | Delete the specified service |
| --add-service [ServiceName] | Add the specified service in the default zone. To add service in a particular zone, specify its name as an argument with the --zone option. To add it permanently, use the --permanent option. |
| --query-service [ServiceName] | Show whether the specified service is available in the given zone. If you do not specify the zone name, it picks the default zone for the query. |
| --remove-service [ServiceName] | Remove the specified service from the default zone. To remove a service from a particular zone, provide its name as an argument with the --zone option. To remove it permanently, use the --permanent option. |
Listing services
The --get-services option lists all services.
#firewall-cmd --get-services
To list services of the default zone, use the --list-all-services option.
#firewall-cmd --list-all-services
To list the services of a particular zone, specify its name as an argument. For example, the following command lists the services of the public zone.
#firewall-cmd --list-all-services --zone public
The --new-service option creates the new service. It accepts the service name as the argument. For example, the following command creates the testservice.
#firewall-cmd --new-service testservice --permanent
The new service will be available after the configuration reloads.
#firewall-cmd --reload
To verify the new service, list all services again.
#firewall-cmd --list-all-services
The --add-service option adds a service to the zone. You can add it temporarily or permanently. Without the --permanent option, it adds the service temporarily. For example, the following command adds the testservice to the default zone.
#firewall-cmd --add-service testservice #firewall-cmd --list-all
If you add it temporarily, it will be removed at the following configuration reload.
#firewall-cmd --reload #firewall-cmd --list-all
To add it permanently, use the --permanent option. The service will be available only after the configuration reload. The --remove-service removes the specified service. Run the following commands to add, verify, and remove the testservice permanently to the default zone.
#firewall-cmd --add-service testservice --permanent #firewall-cmd --reload #firewall-cmd --list-all-services #firewall-cmd --remove-service testservice --permanent #firewall-cmd --list-all-services
To add or remove a service from a non-default zone, specify its name as an argument. For example, use the following command to remove the testserivce from the public zone.
#firewall-cmd --remove-service testservice --zone public --permanent
Managing ports
Similar to services, you can also manage ports with the firewall-cmd command. The following table lists the options for port management.
| Option | Description |
| --list-ports | Display all ports from the default zone. To view ports from another zone, specify its name as an argument with the --zone option. |
| --add-port [PortNumber/ProtocolType] | Add the specified port in the default zone. To add a port in another zone, provide its name as an argument with the --zone option. To add a port permanently, use the --permanent option. |
| --query-port [PortNumber/ProtocolType] | Perform a query operation for the specified port in the default zone. To query in another zone, use its name as an argument with the --zone option. |
| --remove-port [PortNumber/ProtocolType] | Remove specified port from the default zone. To remove a port from another zone, provide its name as an argument with the --zone option. To remove the port permanently, use the --permanent option. |
The following command lists ports in the default zone.
#firewall-cmd --list-ports
To display ports in a specific zone, specify its name as the zone. For example, use the following command to list ports in the public zone.
#firewall-cmd --list-ports --zone public
Use the following command to add a new port 23 for the TCP protocol.
#firewall-cmd --add-port 23/tcp
To verify it, you can perform the query operation again.
#firewall-cmd --query-port 23/tcp
The output of the above command shows yes or no. If it shows yes, the port is available. If it shows no, the port is not available.
To add a port permanently, use the --permanent option.
#firewall-cmd --add-port 23/tcp --permanent
If you use the --permanent option, the port will be available after configuration reloads.
Use the --remove-port to delete a port. For example, the following command deletes the port added previously.
#firewall-cmd --remove-port 23/tcp --permanent
Deleting a zone
The --delete-zone option deletes the specified zone. It accepts the zone name as the argument. You can use it only with the --permanent option. For example, the following command deletes the zone created for the exercises in this tutorial.
#firewall-cmd --delete-zone test --permanent
This tutorial is part of the tutorial "Setting up a firewall using firewalld service.". Other parts of this tutorial are as follows:
Chapter 1 Firewalld Basic concepts Explained with Examples
Chapter 2 How to Configure Firewalld in Linux
Chapter 3 Firewalld Rich Rules Explained with Examples
Conclusion
Firewalld is a firewall service. It uses zones to manage access rules. You can define rules for interfaces, services, and ports in zones. This tutorial explained how to create, verify, and manage zones, services, and ports.
By ComputerNetworkingNotes Updated on 2026-03-02