BestHub
Sign in
Operations 16 min read

Master firewalld on CentOS 7: From Basics to Advanced Zone Management

This guide walks you through using firewalld on CentOS 7, covering status checks, starting and restarting the service, configuring zones, managing ports and sources, applying rich rules, and persisting changes, while providing clear command examples for each step.

MaGe Linux Operations
MaGe Linux Operations
MaGe Linux Operations
Master firewalld on CentOS 7: From Basics to Advanced Zone Management

Practice Environment

CentOS-7-x86_64-DVD-2009

Introduction

Firewalld is a simple, stateful, zone‑based firewall. Policies and zones organize firewall rules. The network is logically divided into zones, and traffic between zones can be managed via policies.

View Firewall Status

# service firewalld status

or

# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
   Docs: man:firewalld(1)

If the output shows Active: inactive (dead), the firewall is not running; Active: active (running) means it is enabled.

# firewall-cmd --state
not running

Start Firewall

# service firewalld start

or

# systemctl start firewalld

Restart Firewall

# service firewalld restart

or

# systemctl restart firewalld

Enable Firewall at Boot

# systemctl enable firewalld
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.

Disable Firewall at Boot

# systemctl disable firewalld
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.

View Predefined Zones

# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
# firewall-cmd --list-all-zones

block : Reject inbound traffic unless it is related to outbound traffic.

dmz : Reject inbound traffic unless related to outbound; allow if traffic is for ssh service.

drop : Reject inbound traffic unless related to outbound traffic.

external : Reject inbound traffic unless related to outbound; allow if traffic is for ssh service.

home : Reject inbound traffic unless related to outbound; allow if traffic is for ssh, mdns, ipp-client, amba-client, dhcpv6-client services.

internal : Same as home zone.

public : Reject inbound traffic unless related to outbound; allow if traffic is for ssh or dhcpv6-client services.

trusted : Allow all packets inbound and outbound.

work : Reject inbound traffic unless related to outbound; allow if traffic is for ssh, ipp-client, dhcpv6-client services.

Create Custom Zone

# firewall-cmd --permanent --new-zone=testing
success

Note: the --permanent option is required.

View Default Zone

# firewall-cmd --get-default-zone
public

View Interface‑Associated Zone

# ip addr
... (interface details) ...
# firewall-cmd --get-zone-of-interface=ens33
public

Only one zone can be bound to a network interface.

Change Default Zone

# firewall-cmd --set-default-zone=trusted
success
# firewall-cmd --get-default-zone
trusted
# firewall-cmd --set-default-zone=public
success
# firewall-cmd --get-default-zone
public

Modify Interface‑Associated Zone

Method 1 – remove the current association then add the new one:

# firewall-cmd --remove-interface=ens33 --zone=public
success
# firewall-cmd --add-interface=ens33 --zone=trusted
success

Method 2 – change the zone directly:

# firewall-cmd --change-interface=ens33 --zone=public
success

Print Active Zones and Their Interfaces/Sources

# firewall-cmd --get-active-zones

Example output:

public
  interfaces: ens33

Port Access Restrictions

List Open Ports

firewall-cmd [--permanent] [--zone=zone] --list-ports

Add Open Port

firewall-cmd [--permanent] [--zone=zone] --add-port=portid[-portid]/protocol [--timeout=timeval]

Example – permanently open TCP port 15672 in the public zone:

# firewall-cmd --permanent --add-port=15672/tcp
# firewall-cmd --list-ports   # shows nothing
# firewall-cmd --reload
success
# firewall-cmd --list-ports
15672/tcp

Example – permanently open TCP port range 1000‑2000:

# firewall-cmd --permanent --add-port=1000-2000/tcp
success
# firewall-cmd --reload
success
# firewall-cmd --list-ports
15672/tcp 1000-2000/tcp

Example – permanently remove TCP port 15672:

# firewall-cmd --permanent --remove-port=15672/tcp
success
# firewall-cmd --reload
success
# firewall-cmd --list-ports
1000-2000/tcp

IP/Network Access Restrictions

Add Source

firewall-cmd [--permanent] [--zone=zone] --add-source=source[/mask]|MAC|ipset:ipset

Example – allow IP 192.168.50.182 permanently in public zone:

# firewall-cmd --permanent --add-source=192.168.50.182
success
# firewall-cmd --reload
success

Example – allow subnet 192.168.50.0/24 permanently:

# firewall-cmd --permanent --add-source=192.168.50.0/24
success
# firewall-cmd --reload
success

Remove Source

firewall-cmd [--permanent] --remove-source=source[/mask]|MAC|ipset:ipset

Example – remove the IP 192.168.50.182 from public zone:

# firewall-cmd --permanent --remove-source=192.168.50.182
success
# firewall-cmd --reload
success

Rich Language Rules

List Rich Rules

firewall-cmd [--permanent] [--zone=zone] --list-rich-rules

Add Rich Rule

firewall-cmd [--permanent] [--zone=zone] --add-rich-rule='rule' [--timeout=timeval]

Example – permanently allow IP 192.168.50.182 to access TCP port 15672 in public zone:

# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.50.182" port protocol="tcp" port="15672" accept'
# firewall-cmd --reload

Example – permanently reject that IP:

# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.50.182" reject'
# firewall-cmd --reload

Remove Rich Rule

firewall-cmd [--permanent] [--zone=zone] --remove-rich-rule='rule'

Example – remove the accept rule above:

# firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.50.182" port protocol="tcp" port="15672" accept'
success
# firewall-cmd --reload

List All Settings for a Zone

firewall-cmd [--permanent] [--zone=zone] --list-all

Example output for the public zone:

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens33
  sources: 
  services: dhcpv6-client ssh
  ports: 15672/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

Save Runtime Configuration as Permanent

# firewall-cmd --runtime-to-permanent

This command writes the current runtime configuration to the permanent configuration, overwriting the saved settings.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

firewallLinuxnetwork securityCentOSfirewalldzone management
MaGe Linux Operations
Written by

MaGe Linux Operations

Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment