BestHub
Sign in
Information Security 11 min read

Mastering FirewallD: A Complete Guide to Linux Firewall Management

This guide explains how to install, enable, and manage FirewallD on Linux, covering zones, services, ports, rich rules, port forwarding, and direct iptables integration, with step‑by‑step commands and visual examples to help administrators configure persistent, dynamic firewalls efficiently.

MaGe Linux Operations
MaGe Linux Operations
MaGe Linux Operations
Mastering FirewallD: A Complete Guide to Linux Firewall Management

Installation and Management of FirewallD

FirewallD is a front‑end controller for iptables that provides persistent network traffic rules via command‑line and graphical interfaces. It is packaged in most Linux distributions.

Key differences from direct iptables control:

Uses zones and services instead of chain rules.

Dynamically manages rule sets, allowing updates without breaking existing sessions.

FirewallD wraps iptables; it is not a replacement. While iptables commands still work, using only FirewallD commands is recommended.

Installing and Managing the Service

CentOS 7 and Fedora 20+ include FirewallD but it is disabled by default. Control it like any other systemd unit.

Start and enable at boot:

systemctl start firewalld
systemctl enable firewalld

Stop and disable:

systemctl stop firewalld
systemctl disable firewalld

Check status (running / not running):

systemctl status firewalld

View daemon state:

firewall-cmd --state

Reload configuration:

firewall-cmd --reload

Configuration Files

FirewallD uses XML configuration. For most tasks use firewall-cmd instead of editing files directly.

Default configuration lives under /usr/lib/firewalld and should not be modified because package updates overwrite it. Custom system configuration resides in /etc/firewalld and overrides defaults.

Configuration Sets

Two sets exist: “runtime” (temporary) and “permanent”. Runtime changes disappear after a reboot; permanent changes persist but are not applied until reloaded.

By default firewall-cmd operates on the runtime set; add --permanent to affect the permanent set.

To add a rule to both sets:

firewall-cmd --add-service=http
firewall-cmd --permanent --add-service=http

Or add to permanent set then reload:

firewall-cmd --permanent --add-service=http
firewall-cmd --reload

Zones

Zones are predefined rule collections representing trust levels for a given location or scenario (e.g., public, internal, trusted). The default zone after enabling FirewallD is public.

Zones can be assigned to network interfaces, allowing different services per interface.

Find the default zone:

firewall-cmd --get-default-zone

Change the default zone:

firewall-cmd --set-default-zone=internal

Show the zone used by an interface:

firewall-cmd --get-zone-of-interface=eth0

Services

FirewallD can enable or disable predefined services. Custom service files reside in /etc/firewalld/services.

List available services:

firewall-cmd --get-services

Enable HTTP service:

firewall-cmd --add-service=http
firewall-cmd --permanent --add-service=http

Allow or Deny Arbitrary Ports/Protocols

Example: allow TCP traffic on port 12345.

firewall-cmd --add-port=12345/tcp
firewall-cmd --permanent --add-port=12345/tcp

Port Forwarding

Forward traffic from port 80 to port 12345 on the same host:

firewall-cmd --add-forward-port=port=80:proto=tcp:toport=12345

To forward to another server, enable masquerade in the zone and add a forward rule:

firewall-cmd --zone=public --add-masquerade
firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toaddr=123.456.78.9:toport=8080

Remove a rule with --remove instead of --add:

firewall-cmd --remove-forward-port=port=80:proto=tcp:toport=12345

Rich Rules

Rich rules provide a more expressive syntax for complex scenarios. Manage them with --add-rich-rule, --list-rich-rules, and --remove-rich-rule. Examples:

Allow all IPv4 traffic from 192.168.0.14:

firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.0.14" accept'

Reject TCP traffic to port 22 from 192.168.1.10:

firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.10" port protocol="tcp" port="22" reject'

Forward IPv4 traffic from 10.1.0.3 port 80 to port 6532:

firewall-cmd --add-rich-rule='rule family="ipv4" source address="10.1.0.3" port port="80" protocol="tcp" forward-port port="6532"'

Direct Interface to iptables

For advanced users, FirewallD offers a direct interface to pass raw iptables commands. Direct rules are not persistent unless added with --permanent.

List custom chains and rules added via the direct interface:

firewall-cmd --direct --get-all-rules
Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

Linuxnetwork securityiptablessystemdfirewalld
MaGe Linux Operations
Written by

MaGe Linux Operations

Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment