firewalld
firewalld is the default firewall manager on RHEL/CentOS/Rocky/AlmaLinux/Fedora. It uses zones to define trust levels.
Installation
# RHEL/CentOS/Rocky/Alma
yum install firewalld
systemctl enable --now firewalld
# Fedora
dnf install firewalld
systemctl enable --now firewalld
# Debian/Ubuntu
apt-get install firewalldZones
# List zones
firewall-cmd --get-zones # All available zones
firewall-cmd --get-default-zone # Current default zone
firewall-cmd --get-active-zones # Zones with assigned interfaces
# Zone info
firewall-cmd --zone=public --list-all
firewall-cmd --zone=internal --list-all
# Change zone
firewall-cmd --zone=internal --change-interface=eth1
firewall-cmd --permanent --zone=internal --change-interface=eth1
# Set default zone
firewall-cmd --set-default-zone=dmzCommon zones:
| Zone | Trust Level |
|---|---|
drop | Lowest — all incoming dropped |
block | All incoming rejected with ICMP |
public | Untrusted — default |
external | NAT with masquerade |
dmz | Semi-isolated |
internal | Trusted internal network |
trusted | Highest — all accepted |
Services
# List services
firewall-cmd --get-services # Available service definitions
firewall-cmd --list-services # Currently allowed services
# Add/remove services
firewall-cmd --add-service=ssh
firewall-cmd --add-service=http
firewall-cmd --add-service=https
firewall-cmd --remove-service=telnet
# With zones
firewall-cmd --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=httpPorts
# Open ports
firewall-cmd --add-port=8080/tcp
firewall-cmd --add-port=3000-3010/tcp
# Remove ports
firewall-cmd --remove-port=8080/tcp
# List open ports
firewall-cmd --list-portsRuntime vs Permanent
# Runtime only (lost on reload)
firewall-cmd --add-service=http
# Permanent (persists after reload)
firewall-cmd --permanent --add-service=http
# Apply permanent rules
firewall-cmd --reload
# Make runtime rules permanent
firewall-cmd --runtime-to-permanentRich Rules (Advanced)
# Allow from specific IP
firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" accept'
# Rate limit
firewall-cmd --add-rich-rule='rule service name="ssh" limit value="5/m" accept'
# Log and reject
firewall-cmd --add-rich-rule='rule family="ipv4" source address="10.0.0.0/8" log prefix="blocked " reject'
# Port forwarding
firewall-cmd --add-rich-rule='rule family="ipv4" forward-port port="8080" protocol="tcp" to-port="80"'Masquerade & Port Forwarding
# Enable masquerade (NAT)
firewall-cmd --add-masquerade
firewall-cmd --permanent --add-masquerade
# Port forwarding
firewall-cmd --add-forward-port=port=80:proto=tcp:toport=8080
firewall-cmd --add-forward-port=port=443:proto=tcp:toaddr=192.168.1.100
firewall-cmd --add-forward-port=port=3306:proto=tcp:toport=3306:toaddr=10.0.0.5Panic Mode
# Emergency lockdown
firewall-cmd --panic-on # Block all traffic
firewall-cmd --panic-off # Resume normal
firewall-cmd --query-panic # Check if panic is onfirewalld Cheatsheet
firewall-cmd --list-all # Show current zone config
firewall-cmd --add-service=http # Allow HTTP (runtime)
firewall-cmd --permanent --add-service=http # Permanent
firewall-cmd --reload # Apply permanent changes
firewall-cmd --zone=public --add-port=9090/tcp # Open port
firewall-cmd --runtime-to-permanent # Save runtime rules
systemctl restart firewalld # Restart firewall