Back to Cheatsheets
Cheatsheet

firewalld Firewall Cheatsheet

firewalld

firewalld is the default firewall manager on RHEL/CentOS/Rocky/AlmaLinux/Fedora. It uses zones to define trust levels.

Installation

# RHEL/CentOS/Rocky/Alma
yum install firewalld
systemctl enable --now firewalld
 
# Fedora
dnf install firewalld
systemctl enable --now firewalld
 
# Debian/Ubuntu
apt-get install firewalld

Zones

# List zones
firewall-cmd --get-zones             # All available zones
firewall-cmd --get-default-zone      # Current default zone
firewall-cmd --get-active-zones      # Zones with assigned interfaces
 
# Zone info
firewall-cmd --zone=public --list-all
firewall-cmd --zone=internal --list-all
 
# Change zone
firewall-cmd --zone=internal --change-interface=eth1
firewall-cmd --permanent --zone=internal --change-interface=eth1
 
# Set default zone
firewall-cmd --set-default-zone=dmz

Common zones:

ZoneTrust Level
dropLowest — all incoming dropped
blockAll incoming rejected with ICMP
publicUntrusted — default
externalNAT with masquerade
dmzSemi-isolated
internalTrusted internal network
trustedHighest — all accepted

Services

# List services
firewall-cmd --get-services          # Available service definitions
firewall-cmd --list-services         # Currently allowed services
 
# Add/remove services
firewall-cmd --add-service=ssh
firewall-cmd --add-service=http
firewall-cmd --add-service=https
firewall-cmd --remove-service=telnet
 
# With zones
firewall-cmd --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=http

Ports

# Open ports
firewall-cmd --add-port=8080/tcp
firewall-cmd --add-port=3000-3010/tcp
 
# Remove ports
firewall-cmd --remove-port=8080/tcp
 
# List open ports
firewall-cmd --list-ports

Runtime vs Permanent

# Runtime only (lost on reload)
firewall-cmd --add-service=http
 
# Permanent (persists after reload)
firewall-cmd --permanent --add-service=http
 
# Apply permanent rules
firewall-cmd --reload
 
# Make runtime rules permanent
firewall-cmd --runtime-to-permanent

Rich Rules (Advanced)

# Allow from specific IP
firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" accept'
 
# Rate limit
firewall-cmd --add-rich-rule='rule service name="ssh" limit value="5/m" accept'
 
# Log and reject
firewall-cmd --add-rich-rule='rule family="ipv4" source address="10.0.0.0/8" log prefix="blocked " reject'
 
# Port forwarding
firewall-cmd --add-rich-rule='rule family="ipv4" forward-port port="8080" protocol="tcp" to-port="80"'

Masquerade & Port Forwarding

# Enable masquerade (NAT)
firewall-cmd --add-masquerade
firewall-cmd --permanent --add-masquerade
 
# Port forwarding
firewall-cmd --add-forward-port=port=80:proto=tcp:toport=8080
firewall-cmd --add-forward-port=port=443:proto=tcp:toaddr=192.168.1.100
firewall-cmd --add-forward-port=port=3306:proto=tcp:toport=3306:toaddr=10.0.0.5

Panic Mode

# Emergency lockdown
firewall-cmd --panic-on              # Block all traffic
firewall-cmd --panic-off             # Resume normal
firewall-cmd --query-panic           # Check if panic is on

firewalld Cheatsheet

firewall-cmd --list-all              # Show current zone config
firewall-cmd --add-service=http      # Allow HTTP (runtime)
firewall-cmd --permanent --add-service=http  # Permanent
firewall-cmd --reload                # Apply permanent changes
firewall-cmd --zone=public --add-port=9090/tcp  # Open port
firewall-cmd --runtime-to-permanent  # Save runtime rules
systemctl restart firewalld          # Restart firewall