Demystifying Firewall-cmd: A Comprehensive Guide to Understanding and Managing Your Firewall Rules

    skycentral.co.uk | Demystifying Firewall-cmd: A Comprehensive Guide to Understanding and Managing Your Firewall Rules


    Firewall-cmd is a powerful command-line utility for managing firewall rules on Linux systems. It provides an easy-to-use interface to configure and control the firewall settings, allowing users to define specific rules for network traffic. In this comprehensive guide, we will demystify firewall-cmd, exploring its features, commands, and how it can be utilized to enhance security and protect your system.

    Understanding the Basics

    Before diving deep into firewall-cmd, it’s essential to grasp the fundamentals of firewalls. A firewall acts as a barrier between your system and the external world, filtering both incoming and outgoing network traffic based on preset rules. It helps secure your system by allowing only authorized connections while blocking potential threats.

    Getting Started with Firewall-cmd

    Firewall-cmd is the default command-line tool used to manage the firewall on systems using the Netfilter framework. It provides a straightforward and efficient way to create, modify, and delete firewall rules. To interact with firewall-cmd, open a terminal and execute commands as the root user or with sudo privileges.

    Checking the Firewall Status

    The first step in managing your firewall with firewall-cmd is to verify its status. To check if the firewall is running, execute the following command:

    sudo firewall-cmd –state

    This command will return one of three possible states: running, not-running, or an error. Make sure the firewall is running before proceeding further.

    Managing Zones

    Firewall-cmd uses zones to categorize network interfaces into different security levels. Each zone has a predefined set of rules and determines the traffic allowed through that interface. Some commonly used zones include public, internal, and trusted.

    To view the default zone currently assigned to your network interfaces, run the command:

    sudo firewall-cmd –get-default-zone

    To change the default zone, use the following command:

    sudo firewall-cmd –set-default-zone=

    Replace `` with the desired zone name.

    Listing Available Zones

    You can also list all the available zones by running:

    sudo firewall-cmd –get-zones

    This command will display a list of zones that you can use to categorize your network interfaces.

    Assigning Zones to Interfaces

    Once you have identified the zones, you can assign them to your network interfaces using the following command:

    sudo firewall-cmd –zone= –change-interface=

    Replace `` with the desired zone and `` with the name of your network interface.

    Defining Firewall Rules

    Now that you understand zones, it’s time to explore how to define firewall rules using firewall-cmd. Rules define what traffic is allowed or denied based on various criteria such as source IP, destination IP, and port numbers. By default, firewall-cmd operates on the default zone. To add a rule, use the following command:

    sudo firewall-cmd –zone= –add-=

    In this command, replace `` with the desired zone, `` with the chain type (i.e., `service`, `port`, or `source`), and `` with the corresponding criteria.

    Allowing Specific Services

    Firewall-cmd provides a convenient way to allow or block specific services. To allow a service, use the command:

    sudo firewall-cmd –zone= –add-service=

    Replace `` with the name of the service you wish to allow.

    Opening Ports

    If you need to open specific ports to allow incoming traffic, you can use the command:

    sudo firewall-cmd –zone= –add-port=/ “`

    Replace `` with the desired port number and `` with the corresponding protocol (e.g., `tcp` or `udp`).

    Restricting Access Based on IP

    Firewall-cmd also allows you to define rules based on source IP addresses. This can be useful for restricting access to your system from specific networks or IP ranges. To add a rule based on a source IP, execute:

    sudo firewall-cmd –zone= –add-source=

    Replace `` with the IP address or subnet you want to allow or block.

    Enabling Permanent Changes

    By default, firewall-cmd applies changes temporarily, which means they will be lost after a system reboot. To make your changes persistent, use the `–permanent` flag:

    sudo firewall-cmd –permanent –zone= –add-=

    Running this command will save the changes to the configuration files, ensuring they persist between reboots.

    Removing Rules

    If you wish to remove a rule, you will need to specify the exact criteria that were used to define it. Use the command:

    sudo firewall-cmd –zone= –remove-=

    Replace ``, ``, and `` with the appropriate parameters.

    Reloading and Restarting Firewall

    After making changes to your firewall rules, you may need to reload or restart the firewall for the changes to take effect. To reload the firewall without interrupting established connections, use:

    sudo firewall-cmd –reload

    To completely restart the firewall and terminate all connections, execute:

    sudo systemctl restart firewalld


    Firewall-cmd is a powerful tool that simplifies the management of firewall rules on Linux systems. It provides a flexible and efficient way to define specific network traffic rules, ensuring your system remains secure and protected. By understanding the basics, such as zones, rule types, and criteria, you can leverage firewall-cmd to enhance your system’s security and manage network traffic effectively. Remember to always exercise caution when configuring firewall rules and regularly review them to adapt to evolving security requirements.