Master firewalld on CentOS 8: Complete Guide to Configuring Your Firewall
This guide explains how to use firewalld on CentOS 8, covering zones, services, runtime vs permanent rules, common commands for starting, stopping, and reloading the firewall, as well as adding, removing, and forwarding ports and rich rules.
Introduction
A Linux firewall protects workstations or servers from unwanted traffic. CentOS 8 includes a dynamic, host‑based firewall with a D‑Bus interface. The firewall-cmd tool acts as a front‑end to nftables, which replaces iptables as the default packet‑filtering framework.
Basic Concepts of firewalld
firewalldsimplifies network traffic management. Two main concepts are zones and services.
1. Zones
Zones are predefined rule sets. List all zones: $ ls -l /usr/lib/firewalld/zones/ View a zone definition, e.g. the public zone:
$ cat /usr/lib/firewalld/zones/public.xmlList all zones on CentOS 8:
$ firewall-cmd --get-zonesDefault Zone
Identify the default zone: $ firewall-cmd --get-default-zone Show network interfaces with ip or nmcli:
$ ip link show
$ nmcli device statusWhen a new interface (e.g., eth0 or ens3) is added, it is attached to the default zone. Verify active zones:
$ firewall-cmd --get-active-zonesServices
Services are collections of ports, protocols, and helper modules. Examples include ports 443, 25, 110; services SSH, HTTP; protocol ICMP.
List all services for the public zone: $ sudo firewall-cmd --list-all Or specify the zone:
$ sudo firewall-cmd --list-all --zone=publicThe default zone is public. By default it allows incoming SSH (port 22), dhcpv6-client, and cockpit services; all other traffic is dropped. To open web ports for Apache or Nginx, add them with firewall-cmd. Unneeded services can be removed:
$ sudo firewall-cmd --remove-service=cockpit --permanent
$ sudo firewall-cmd --remove-service=dhcpv6-client --permanent
$ sudo firewall-cmd --reload
$ sudo firewall-cmd --list-servicesStarting, Stopping, and Restarting firewalld
Activate firewalld and enable it at boot:
$ sudo systemctl start firewalld
$ sudo systemctl enable firewalldStop and disable:
$ sudo systemctl stop firewalld
$ sudo systemctl disable firewalldCheck firewalld status: $ sudo firewall-cmd --state Reload configuration after rule changes: $ sudo firewall-cmd --reload View service status:
$ sudo systemctl status firewalldRuntime vs Permanent Rule Sets
Runtime changes are temporary and disappear after a reboot. Example of opening HTTP/HTTPS ports temporarily:
$ sudo firewall-cmd --zone=public --add-service=http
$ sudo firewall-cmd --zone=public --add-service=httpsTo make them permanent and reload:
$ sudo firewall-cmd --zone=public --add-service=http --permanent
$ sudo firewall-cmd --zone=public --add-service=https --permanent
$ sudo firewall-cmd --reloadVerify permanent services:
$ sudo firewall-cmd --list-services
$ sudo firewall-cmd --list-services --permanentFinding Supported Services
List all services and search for a specific one:
$ sudo firewall-cmd --get-services
$ sudo firewall-cmd --get-services | grep mysql
$ ls -l /usr/lib/firewalld/services/
$ cat /usr/lib/firewalld/services/ssh.xmlfirewalld Rule Examples
Adding a service (DNS) to the public zone:
sudo firewall-cmd --zone=public --add-service=dns --permanentRemoving a service (VNC server) from the public zone:
sudo firewall-cmd --zone=public --remove-service=vnc-server --permanentOpening a TCP port (9009):
sudo firewall-cmd --zone=public --add-port=9009/tcp --permanentListing ports for a zone:
$ sudo firewall-cmd --zone=internal --list-portsRemoving a TCP port (23):
sudo firewall-cmd --zone=public --remove-port=23/tcp --permanentPort Forwarding
Forward TCP port 80 to 8080 on the same server:
$ sudo firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toport=8080 --permanentDelete the forwarding rule:
$ sudo firewall-cmd --zone=public --remove-forward-port=port=80:proto=tcp:toport=8080Enable masquerading and forward port 443 to a remote host (192.168.2.42):
$ sudo firewall-cmd --zone=public --add-masquerade
$ sudo firewall-cmd --zone=public --add-forward-port=port=443:proto=tcp:toport=443:toaddr=192.168.2.42 --permanentRemove the masquerade and forwarding rule:
$ sudo firewall-cmd --zone=public --remove-masquerade
$ firewall-cmd --zone=public --remove-forward-port=port=443:proto=tcp:toport=443:toaddr=192.168.2.42 --permanentList all permanent rules:
$ firewall-cmd --zone=public --list-all --permanentRich Rules
Allow SSH (port 22) only from IP 10.8.0.8:
sudo firewall-cmd --permanent --zone=public --add-rich-rule 'rule family="ipv4" source address="10.8.0.8" port port=22 protocol=tcp accept'Verify the rule:
$ sudo firewall-cmd --list-rich-rules --permanentAllow subnet 192.168.1.0/24 to access TCP port 11211:
sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port protocol="tcp" port="11211" accept'Remove rich rules:
$ sudo firewall-cmd --remove-rich-rule 'rule family="ipv4" source address="10.8.0.8" port port=22 protocol=tcp accept' --permanent
$ sudo firewall-cmd --remove-rich-rule 'rule family="ipv4" source address="192.168.1.0/24" port port="11211" protocol="tcp" accept' --permanentConclusion
You now understand the basic concepts of firewalld and common examples for managing a CentOS 8 server. For more details, refer to the official firewalld documentation at https://firewalld.org/documentation/.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.