BestHub
Sign in
Operations 15 min read

Master firewalld: Essential Commands to Manage Linux Firewall Zones

This guide walks you through firewalld on CentOS 7, covering how to check status, start, restart, enable at boot, manage zones, configure ports, sources, and rich rules, and explains the impact of each command with practical examples for secure network administration.

Open Source Linux
Open Source Linux
Open Source Linux
Master firewalld: Essential Commands to Manage Linux Firewall Zones

Practice Environment

CentOS-7-x86_64-DVD-2009

Introduction

Firewalld is a simple, stateful, zone‑based firewall. Policies and zones organize firewall rules. The network is logically divided into zones, and traffic between zones can be managed via policies.

Check Firewall Status

# service firewalld status

or

# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
   Docs: man:firewalld(1)

If the output shows Active: inactive (dead), the firewall is not running; Active: active (running) means it is enabled.

Start Firewall

# service firewalld start

or

# systemctl start firewalld

Restart Firewall

# service firewalld restart

or

# systemctl restart firewalld

Enable/Disable Firewall at Boot

# systemctl enable firewalld
# systemctl disable firewalld

View Predefined Zones

# firewall-cmd --get-zones
block dmz drop external home internal public trusted work

To see details of each zone: # firewall-cmd --list-all-zones block : reject incoming traffic unless it is related to outgoing traffic.

dmz : reject incoming traffic unless related to outgoing; allow if the traffic is for ssh.

drop : same as block.

external : reject incoming traffic unless related; allow ssh.

home : reject incoming traffic unless related; allow ssh, mdns, ipp-client, amba-client, dhcpv6-client.

internal : equivalent to home.

public : reject incoming traffic unless related; allow ssh, dhcpv6-client.

trusted : allow all inbound and outbound packets.

work : reject incoming traffic unless related; allow ssh, ipp-client, dhcpv6-client.

Create Custom Zone

# firewall-cmd --permanent --new-zone=testing
success
--permanent

must be included.

View Default Zone

# firewall-cmd --get-default-zone
public

View Interface‑Zone Association

# ip addr
... (output omitted) ...
# firewall-cmd --get-zone-of-interface=ens33
public

Note: one network interface can be bound to only one zone.

Change Default Zone

# firewall-cmd --set-default-zone=trusted
success
# firewall-cmd --get-default-zone
trusted
# firewall-cmd --set-default-zone=public
success
# firewall-cmd --get-default-zone
public

Modify Interface Zone

Method 1 – remove then add:

# firewall-cmd --remove-interface=ens33 --zone=public
success
# firewall-cmd --add-interface=ens33 --zone=trusted
success

Method 2 – change directly:

# firewall-cmd --change-interface=ens33 --zone=public
success

List Active Zones

# firewall-cmd --get-active-zones
public
  interfaces: ens33

Port Access Control

List Open Ports

# firewall-cmd [--permanent] [--zone=zone] --list-ports

The list shows ports added to the specified zone in the form portid[-portid]/protocol.

Add Open Port

# firewall-cmd [--permanent] [--zone=zone] --add-port=portid[-portid]/protocol [--timeout=timeval]
--timeout

cannot be used together with --permanent.

Remove Open Port

# firewall-cmd [--permanent] [--zone=zone] --remove-port=portid[-portid]/protocol

Examples

Persistently open TCP port 15672 in the public zone:

# firewall-cmd --permanent --add-port=15672/tcp
# firewall-cmd --reload
success
# firewall-cmd --list-ports
15672/tcp

Persistently open a port range 1000‑2000:

# firewall-cmd --permanent --add-port=1000-2000/tcp
success
# firewall-cmd --reload
success
# firewall-cmd --list-ports
15672/tcp 1000-2000/tcp

Persistently remove a port:

# firewall-cmd --permanent --remove-port=15672/tcp
success
# firewall-cmd --reload
success
# firewall-cmd --list-ports
1000-2000/tcp

IP/Network Access Control

Add Source

# firewall-cmd [--permanent] [--zone=zone] --add-source=source[/mask]|MAC|ipset:ipset

Bind an IP, network, MAC or ipset to a zone. If --zone is omitted, the default zone is used.

Remove Source

# firewall-cmd [--permanent] --remove-source=source[/mask]|MAC|ipset:ipset

Examples

Allow a single IP permanently in the public zone:

# firewall-cmd --permanent --add-source=192.168.50.182
success
# firewall-cmd --reload
success

Allow an entire subnet permanently:

# firewall-cmd --permanent --add-source=192.168.50.0/24
success
# firewall-cmd --reload
success

Remove a previously added source:

# firewall-cmd --permanent --remove-source=192.168.50.182
success
# firewall-cmd --reload
success

Rich Language Rules

List Rich Rules

# firewall-cmd [--permanent] [--zone=zone] --list-rich-rules

Add Rich Rule

# firewall-cmd [--permanent] [--zone=zone] --add-rich-rule='rule' [--timeout=timeval]

Remove Rich Rule

# firewall-cmd [--permanent] [--zone=zone] --remove-rich-rule='rule'

Query Rich Rule

# firewall-cmd [--permanent] [--zone=zone] --query-rich-rule='rule'

Examples

Allow IP 192.168.50.182 permanent access to TCP port 15672 in the public zone:

# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.50.182" port protocol="tcp" port="15672" accept'
# firewall-cmd --reload

Remove the above rule:

# firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.50.182" port protocol="tcp" port="15672" accept'
# firewall-cmd --reload

Block the IP permanently:

# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.50.182" reject'
# firewall-cmd --reload

Remove the block:

# firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.50.182" reject'
# firewall-cmd --reload

List All Settings for a Zone

# firewall-cmd [--permanent] [--zone=zone] --list-all

Example output for the public zone shows target, interfaces, sources, services, ports, protocols, masquerade, forward‑ports, source‑ports, icmp‑blocks, and rich rules.

Save Runtime Configuration Permanently

# firewall-cmd --runtime-to-permanent

This command writes the current runtime configuration to the permanent configuration files.

Diagram of firewalld configuration
Diagram of firewalld configuration
Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

network securitysystemdfirewalldzone
Open Source Linux
Written by

Open Source Linux

Focused on sharing Linux/Unix content, covering fundamentals, system development, network programming, automation/operations, cloud computing, and related professional knowledge.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment