Firewalld is an open source, host-based firewall that seeks to prevent unauthorized access to your computer. A firewall is usually a minimum requirement by any information security team at any modern organization, but it's also a good idea for general computer use.
Firewalld can restrict access to services, ports, and networks. You can block specific subnets and IP addresses.
As with any firewall, firewalld inspects all traffic traversing the various interfaces on your system. The traffic is allowed or rejected if the source address network matches a rule.
Firewalld uses the concept of zones to segment traffic that interacts with your system. A network interface is assigned to one or more zones, and each zone contains a list of allowed ports and services. A default zone is also available to manage traffic that does not match any zones.
Firewalld is the daemon's name that maintains the firewall policies. Use the firewall-cmd
command to interact with the firewalld configuration.
Check the firewalld configuration
Before getting started, confirm that firewalld is running:
$ sudo firewall-cmd --state
The output is either running or not running. To start your firewall if it's not running, use systemctl
:
$ sudo systemctl --enable --now firewalld
[ Free download: Advanced Linux commands cheat sheet. ]
View zones
To view all zones on a system, use the --get-zones
option:
$ sudo firewall-cmd --get-zones
To display the default zone, use --get-default-zone
:
$ sudo firewall-cmd --get-default-zone
By default, if firewalld is enabled and running and in the public zone, all incoming traffic is rejected except SSH and DHCP.
[ Download the free Linux firewall cheat sheet. ]
Allow a port
To allow traffic from any IP through a specific port, use the --add-port
option along with the port number and protocol:
$ sudo firewall-cmd --add-port=80/tcp
This rule takes effect immediately but only lasts until the next reboot. Add the --permanent
flag to make it persistent:
$ sudo firewall-cmd --add-port=80/tcp --permanent
[ Free eBook: Manage your Linux environment for success. ]
Reload firewalld
I prefer to reload my firewall after making changes. To reload firewalld and all permanent rules:
$ sudo firewall-cmd --reload
Add a service
There are predefined services you can allow through your firewall. To see all predefined services available on your system:
$ sudo firewall-cmd --get-services
For example, to add the HTTP service to your firewall permanently, enter:
$ sudo firewall-cmd --add-service=http --permanent
$ sudo firewall-cmd --reload
Specify traffic by subnet
You can assign traffic coming from a particular subnet to a specific zone (which allows specific ports and services, possibly unique to just that zone).
For example, to assign the network 172.16.1.0/24 to the internal zone and to allow the Jenkins service:
$ sudo firewall-cmd --zone=internal \
--add-source=172.16.1.0/24 --permanent
$ sudo firewall-cmd --add-service=jenkins --permanent
$ sudo firewall-cmd --reload
List ports and services
You can list all ports and services allowed in the default zone using the --list-all
option:
$ sudo firewall-cmd --list-all
To view all settings for all zones, use --list-all-zones
:
$ sudo firewall-cmd --list-all-zones
Know your firewall
A good firewall is an essential feature on modern computer systems, and firewalld is one of the most convenient available. Its commands are intuitive and clear, and its ability to report useful descriptions of its policies makes it easy to understand. Review your firewall settings, and try out some firewall-cmd
commands today.
[ Download now: A sysadmin's guide to Bash scripting. ]
About the author
I work as Unix/Linux Administrator with a passion for high availability systems and clusters. I am a student of performance and optimization of systems and DevOps. I have passion for anything IT related and most importantly automation, high availability, and security.
Browse by channel
Automation
The latest on IT automation for tech, teams, and environments
Artificial intelligence
Updates on the platforms that free customers to run AI workloads anywhere
Open hybrid cloud
Explore how we build a more flexible future with hybrid cloud
Security
The latest on how we reduce risks across environments and technologies
Edge computing
Updates on the platforms that simplify operations at the edge
Infrastructure
The latest on the world’s leading enterprise Linux platform
Applications
Inside our solutions to the toughest application challenges
Original shows
Entertaining stories from the makers and leaders in enterprise tech
Products
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Cloud services
- See all products
Tools
- Training and certification
- My account
- Customer support
- Developer resources
- Find a partner
- Red Hat Ecosystem Catalog
- Red Hat value calculator
- Documentation
Try, buy, & sell
Communicate
About Red Hat
We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.
Select a language
Red Hat legal and privacy links
- About Red Hat
- Jobs
- Events
- Locations
- Contact Red Hat
- Red Hat Blog
- Diversity, equity, and inclusion
- Cool Stuff Store
- Red Hat Summit