How to configure firewalld quickly
This article covers the fundamental tasks necessary to configure the firewalld
service quickly. I'll assume you already appreciate the importance of a firewall and have a general understanding of how firewalls protect servers and workstations.
These are the steps for configuring this firewall:
- Check its current status
- Check its configuration
- Open a port
- Close a port
- Make the settings persistent
- Reload the firewall configuration
To help you find the information you need, I've organized the article in a How do you? format that addresses these steps. Simply scroll down to your question and find the commands. If you need more detail on managing firewalld
, read Shashank Nandishwar Hegde's article An introduction to firewalld rules and scenarios.
How do you check the firewalld status?
First, ensure the firewalld
service is installed, started, and enabled:
$ sudo systemctl status firewalld
$ sudo systemctl start firewalld
$ sudo systemctl enable firewalld
Starting a service activates it for the current runtime, whereas enabling a service causes it to start when the system boots.
How do you check the current configuration?
To display the services or ports currently open on the firewall for the public zone, type:
$ sudo firewall-cmd --list-all --zone=public
Notice the zone and the services or ports. The zone is a configuration related to a specific location or server role.
If desired, you can display the open ports by service or port number:
$ sudo firewall-cmd --list-services
$ sudo firewall-cmd --list-ports
[ Help your colleagues understand containers and hybrid cloud. Download How to explain orchestration in plain English. ]
How do you open a port?
If the existing firewall configuration blocks a service you need, open the appropriate port. You can specify it by service name if it's a common service. However, if the service is uncommon, developed in-house, or uses a custom port number, you can open the firewall port by port number. Here are two examples for web services:
$ sudo firewall-cmd --zone=public --add-service=http
$ sudo firewall-cmd --zone=public --add-port=80/tcp
Note the use of /tcp
(or /udp
, depending on the protocol).
This configuration is non-persistent. As noted below, you'll need the --permanent
flag to persist the settings.
Use the --list-services
or --list-ports
option to verify the settings.
[ Dowload the firewall cheat sheet to keep the necessary commands close at hand. ]
How do you close a port?
It's also possible that an open port represents a no-longer-installed service on the system or that it should be closed for some other reason. Close ports by service name or port number by using these commands:
$ sudo firewall-cmd --zone=public --remove-service=http
$ sudo firewall-cmd --zone=public --remove-port=80/tcp
Again, with the above commands, this configuration is non-persistent.
How do you make the firewall settings persistent?
The --permanent
option makes the firewall changes persist through reboots. You can integrate the flag into the configuration commands:
$ sudo firewall-cmd --permanent --zone=public --add-port=80/tcp
How do you reload the configuration?
Finally, reload the firewall to integrate your changes into the current runtime. Do this as a separate step following the configuration changes:
$ sudo firewall-cmd --reload
One note regarding restart
versus reload
: Linux reads configuration files during the boot process, so what do you need to do when changing a configuration file? The obvious answer is to reboot the server, causing the system to reread the configuration file and implement the new changes. A reboot is often a bad idea (causing downtime), so you may choose to restart a service (systemctl restart sshd
).
However, the problem with restarting a service is that it drops existing connections. In many cases, a better alternative is to reload the service, which rereads the config file but does not drop existing connections, and therefore there is no interruption in service.
Learn more
The importance of a firewall is an established fact. This article provides the basic commands necessary to quickly check the configuration, add or remove rules, and reload the settings. You can check the Red Hat documentation for details on additional configurations, using various zones, port forwarding, and more.
Damon Garn
Damon Garn owns Cogspinner Coaction, LLC, a technical writing, editing, and IT project company based in Colorado Springs, CO. Damon authored many CompTIA Official Instructor and Student Guides (Linux+, Cloud+, Cloud Essentials+, Server+) and developed a broad library of interactive, scored labs. He regularly contributes to Enable Sysadmin, SearchNetworking, and CompTIA article repositories. Damon has 20 years of experience as a technical trainer covering Linux, Windows Server, and security content. He is a former sysadmin for US Figure Skating. He lives in Colorado Springs with his family and is a writer, musician, and amateur genealogist. More about me