What Is firewalld? Security Definition
This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.
On This Page
What do you want to do?
Quick Definition
firewalld is a program that manages the firewall on many Linux computers. It decides what network traffic is allowed to go in or out of the computer. You can set different rules for different situations, like being at home or in a coffee shop. It helps keep your computer safe from unwanted connections.
Common Commands & Configuration
firewall-cmd --zone=public --add-service=http --permanentAdds the HTTP service to the public zone permanently, so it survives a reboot.
Tests understanding of the --permanent flag. Always look for 'permanent' or 'runtime' distinction in exam questions.
firewall-cmd --zone=internal --add-source=192.168.1.0/24Defines a trusted source IP range for the internal zone, allowing traffic from that subnet to be subject to internal zone rules.
Common exam scenario: restricting access to sensitive services by source IP. Remember source restrictions override default zone behavior.
firewall-cmd --zone=public --add-rich-rule='rule family=ipv4 source address=10.0.0.0/8 port protocol=tcp port=3306 accept'Adds a rich rule to accept TCP traffic on port 3306 (MySQL) from the 10.0.0.0/8 network. Rich rules allow advanced conditionals.
Rich rules are a frequent exam topic. Know the syntax: rule family, source address, port protocol, port number, and action (accept/reject/drop).
firewall-cmd --list-services --zone=workLists all services currently enabled in the 'work' zone, including both runtime and permanent if not specified.
Useful for verifying configuration. Exam questions often ask 'which command shows enabled services in a zone' or 'list services in zone X'.
firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 12345 -j ACCEPTAdds a direct iptables rule to accept TCP port 12345, bypassing zone management. Used for legacy compatibility.
Direct rules appear in advanced exams. Know that they are not recommended for normal use due to lack of zone integration and difficulty in management.
firewall-cmd --add-port=8080/tcp --zone=publicOpens TCP port 8080 in the public zone for the current runtime session. No permanent flag means it will be lost on reboot.
Testing understanding of runtime vs permanent. Also port syntax (port/protocol). Common mistake: using a port without specifying protocol.
firewall-cmd --reloadReloads the firewall rules from permanent configuration, applying any changes made with --permanent and discarding runtime-only changes.
Distinguish from --complete-reload. This one keeps state and uptime. Often asked: 'what command applies permanent changes without full reload?'
firewalld appears directly in 22exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on Cisco CCNA. Practise them →
Must Know for Exams
firewalld is a core topic in several major IT certifications, particularly those from Red Hat and the Linux Professional Institute. For the Red Hat Certified System Administrator (RHCSA) exam, knowing how to configure a basic firewall using firewalld is a key objective under network configuration and security. Candidates must be able to open ports, enable services, and set default zones.
The Red Hat Certified Engineer (RHCE) exam goes further, requiring advanced firewall concepts like creating custom services and zones, configuring port forwarding, and setting up masquerading. The CompTIA Linux+ exam (XK0-005) also covers firewalld under domain 4: Security. Questions may ask how to permanently allow HTTPS traffic, or how to change the default zone.
The LPIC-1 certification (101-500 and 102-500) includes objectives related to firewall configuration, where candidates must understand the difference between runtime and permanent changes. In these exams, multiple-choice questions often present a scenario where a service is not accessible, and the candidate must identify the firewalld command or configuration that fixes it. Performance-based questions may require the candidate to actually run firewall-cmd commands in a simulated environment.
For example, you might be asked to add the HTTP service to the public zone and make it permanent. Another common question type is troubleshooting: a web server is running but clients cannot connect, and the candidate must check that the firewall is not blocking port 80. Understanding the difference between services and ports is critical.
Some questions will give a port number and ask you to open it directly, while others will ask for a predefined service name. Knowing that runtime changes are lost after a reboot unless made permanent is a frequent exam point. The trap often involves a candidate using only runtime changes and then rebooting, only to find the rules gone.
firewalld also appears in context with other security tools like SELinux, where a denial may be due to SELinux policies rather than the firewall. Exams test your ability to isolate the cause. Firewalld is not a peripheral topic; it is a primary objective for Linux security exams, and mastering it is essential for achieving certification.
Simple Meaning
Think of firewalld as the security guard at the entrance of a large office building. This guard has a list of rules about who can enter, which doors they can use, and what they can bring inside. But the guard doesn’t just stand at one door all day.
Different parts of the building have different levels of security. The main lobby might be open to everyone, but the server room only allows authorized personnel with special badges. firewalld works the same way for your computer or network.
It uses something called zones to group network connections by how trustworthy they are. For example, your home Wi-Fi might be in a trusted zone, while a public coffee shop network is in a public zone with strict rules. When any data tries to enter or leave your system, firewalld checks its list of rules for the active zone.
If the traffic follows the rules, it passes. If not, the guard blocks it. This dynamic system can also update rules without restarting, which is like the security guard getting updates on his walkie-talkie without having to stop working.
This makes firewalld flexible and efficient for real-world use where networks change frequently.
Full Technical Definition
firewalld is a daemon that provides a dynamically managed firewall for Linux systems, using the netfilter kernel framework (iptables, nftables) in the background. It introduces a zone-based security model, where each zone defines a trust level for network interfaces or sources. Common zones include public, internal, trusted, and dmz, each with predefined default policies.
Administrators can assign interfaces or IP ranges to specific zones, and then define rich rules, services, or ports allowed within each zone. firewalld supports both IPv4 and IPv6, as well as Ethernet bridges (ebtables), and integrates with NetworkManager to handle network changes dynamically. The core components include the firewalld daemon, the firewall-cmd command-line tool, and configuration files stored in XML format under /etc/firewalld/.
Runtime changes are applied immediately without service restart, and can be made permanent by adding the --permanent flag. firewalld also supports direct rules for low-level iptables commands, but best practice recommends using the zone and service abstraction. The service definition files contain predefined port and protocol entries for common applications like SSH (port 22/tcp) or HTTP (80/tcp).
firewalld uses the concept of "sources" to allow control based on IP address or subnet beyond just interfaces. It also supports masquerading (NAT) for internet connection sharing, port forwarding, and rich language rules for complex conditions like logging, rate limiting, and state inspection. The default configuration in many enterprise distributions such as Red Hat Enterprise Linux, CentOS, and Fedora uses firewalld as the primary firewall management tool.
The dynamic nature means that changes can be made during a session without tearing down existing connections, which is critical for production environments where uptime is paramount. firewalld runs as a service (firewalld.service) and can be controlled via systemctl.
It maintains a set of default zones and services, and administrators can create custom ones. The policy objects in newer versions allow even finer-grained control over packet flow. In the context of IT certifications, understanding how to configure zones, add services, open ports, and set default policies is essential for security administration objectives.
The daemon uses the nftables backend by default in modern distributions (RHEL 9+, Fedora), replacing the older iptables backend, though it remains backward compatible.
Real-Life Example
Imagine you are hosting a birthday party at your house. You have different areas: the front yard that is open to everyone, the living room where you invite your close friends, and your private bedroom where only family can enter. firewalld works like the party manager who decides who gets access to which area based on the guest list.
When the doorbell rings (a network connection request), the manager checks who is at the door and their current zone assignment. If a delivery person arrives with a pizza (like a web server request), the manager might allow them into the front yard (public zone) but not into the living room. Your best friend coming in gets full access to the living room (internal zone).
Now, if you decide halfway through the party that you want to let the neighbor also come into the living room, you just tell the manager to update the rule for that guest. The manager does this without stopping the music or closing doors. That is exactly what firewalld does when you run a command to allow a new service without restarting the firewall.
The manager also has a binder with predefined guest categories (services) like pizza delivery or plumber that automatically know which port to use. If a guest shows up with a strange costume, the manager can issue a direct command to block them, similar to firewalld's rich rules that handle unusual traffic patterns. This entire system ensures that while the party runs smoothly, unwanted guests are kept out, and changes happen without disruption.
Why This Term Matters
firewalld matters because it is the default firewall management tool on many enterprise Linux distributions, including Red Hat Enterprise Linux and CentOS. For IT professionals, knowing firewalld is not just a theoretical skill but a practical necessity when managing servers, securing networks, and troubleshooting connectivity issues. In a typical data center or cloud environment, Linux servers run critical applications that must be protected from unauthorized access while allowing legitimate traffic.
firewalld provides a structured way to set up these protections without manually editing complex iptables rules. Its zone-based design allows administrators to apply different security policies to different network interfaces, such as a public-facing web server interface and an internal management interface. This reduces the risk of misconfiguration and makes the firewall more understandable.
Firewalld's ability to make runtime changes without restarting the service is crucial in production. A restart could drop all active connections, causing downtime for users. With firewalld, you can test a rule immediately and only make it permanent after verifying it works.
This reduces human error and speeds up troubleshooting. In the context of IT certifications, firewalld appears in objectives related to system security, network configuration, and service management. Candidates need to know how to check firewall status, enable or disable services, add ports, create custom zones, and troubleshoot common issues like forgotten rules or zone mismatches.
Without this knowledge, a simple networking problem can become a time-consuming mystery. firewalld also integrates with other system components like NetworkManager and SELinux, so understanding it helps form a holistic view of Linux security architecture. In short, firewalld is a foundational skill for anyone pursuing a career in Linux system administration or network security.
How It Appears in Exam Questions
firewalld questions in IT certification exams typically fall into three categories: scenario-based, command-based, and troubleshooting. In scenario-based questions, you are given a description of a server setup and asked to configure the firewall accordingly. For example, a question might say: "A web server listening on port 8080 needs to be accessible from the public zone.
Which command sequence will make this change persistent?" The correct answer would involve adding a custom port or service and then using the --permanent flag. Command-based questions directly test your knowledge of firewall-cmd syntax.
They might ask: "Which command checks if the SSH service is allowed in the current zone?" The answer is firewall-cmd --query-service=ssh. Alternatively, they might ask: "Which option lists all available zones?"
The answer is firewall-cmd --get-zones. Troubleshooting questions are common in performance-based sections. You might be presented with a terminal and a service that is unreachable.
You must install the service, start it, and then configure the firewall to allow traffic. Another typical scenario: after a system reboot, a previously working service stops working. The candidate must deduce that the firewall rules were only runtime and need to be made permanent.
Some questions combine firewalld with other networking tools like ip, ss, or netstat. For example, after confirming a service is listening on a port, the next step is to check if the firewall is blocking it. Questions may also ask about default zones.
For instance: "What is the default zone for a newly added interface in firewalld?" The answer is typically 'public' on most distributions. Another common pattern: "An administrator wants to block all incoming traffic except SSH and HTTP.
Which approach is best?" The answer is to set the default zone to drop, then add services to the zone. Questions about rich rules might ask: "Which rich rule logs all incoming traffic to port 22?"
The answer would be a rule with log prefix. Multiple-choice questions often include distractors that confuse runtime vs permanent, or that use incorrect commands like iptables -A instead of firewall-cmd. Understanding these patterns and the exact syntax of firewall-cmd is critical for success.
Practise firewalld Questions
Test your understanding with exam-style practice questions.
Example Scenario
You are a junior administrator for a small company. The CEO asks you to set up a new file server that runs Linux. The server has two network interfaces: eth0 connects to the internal office network, and eth1 connects to the internet for software updates.
The CEO wants the file server to be accessible only from the internal network, but it also needs to get updates from the internet. You decide to use firewalld to control this. First, you set the default zone for eth1 to 'public', which already blocks most inbound traffic.
Then you assign eth0 to the 'trusted' zone so that internal office computers can access the server without restriction. But you also need to allow the server to download updates, which means outbound traffic from eth1 must be allowed. The default zone policies allow outbound traffic, so that is already set correctly.
However, you also want to make sure that file-sharing service (Samba) is allowed on the internal zone. You use firewall-cmd to add the samba service to the trusted zone and make it permanent. You also want to enable a custom port for a legacy application that runs on port 4444 within the office.
You add that as a port rule to the trusted zone. After a few days, the CEO reports that some employees cannot connect to the file server. You check the firewall status and realize that the internal network interface was mistakenly left in the public zone during a reboot.
The problem occurred because you forgot to make the zone assignment permanent. You use firewall-cmd --change-interface=eth0 --zone=trusted --permanent and reload. Now the connection works.
This scenario demonstrates how simple zone misassignment or forgetting permanent flag can lead to issues, and how firewalld's dynamic model helps you test changes before making them permanent.
Common Mistakes
Forgetting to use the --permanent flag when adding a rule
Without --permanent, the rule is applied only in the runtime configuration. After a system restart or firewalld reload, the rule is lost, which can cause unexpected service outages.
Always add --permanent to any rule you want to survive reboots. After adding the rule, run firewall-cmd --reload to confirm the permanent rule takes effect.
Assuming the default zone is 'trusted' or 'internal'
The default zone is typically 'public', which blocks many incoming connections by default. If someone assigns a new interface without specifying a zone, it goes to the default zone, which may not have the desired permissions.
Check the default zone using firewall-cmd --get-default-zone. Explicitly assign each interface to the correct zone with firewall-cmd --zone=<zone> --add-interface=<interface> --permanent.
Opening a port when a predefined service exists
Using a raw port rule bypasses the service abstraction, which can make the firewall configuration messy and harder to audit. It also misses the convenience of predefined port lists and descriptions.
Check if a service definition exists using firewall-cmd --get-services. For example, to allow HTTP, use --add-service=http instead of --add-port=80/tcp.
Confusing runtime and permanent configuration in troubleshooting
When troubleshooting, a technician might check runtime rules only and miss that the permanent rules differ. This leads to incorrect diagnosis and wasted time.
Always check both runtime and permanent configurations separately. Use firewall-cmd --list-all for runtime and add --permanent to list permanent rules.
Exam Trap — Don't Get Fooled
{"trap":"A question states: 'After adding a rule to allow port 8080 using firewall-cmd --add-port=8080/tcp, the service works immediately, but after a reboot it stops working. What is the most likely cause?' The trap answer is 'The service was not running after reboot.'
","why_learners_choose_it":"Learners think that because the service worked before, the issue must be the service not starting, overlooking the fact that the firewall rule was not made permanent.","how_to_avoid_it":"Always remember that firewall-cmd changes without --permanent are runtime only. After reboot, only permanent rules apply.
So the first step is to check the permanent firewall configuration. If the rule is not there, that is the problem, not the service itself."
Commonly Confused With
iptables is an older, lower-level tool that directly manipulates netfilter rules without the zone and service abstraction. firewalld can use iptables as a backend but provides a dynamic, user-friendly interface. iptables requires manual rule ordering and lacks the concept of zones.
Allowing SSH in iptables requires a rule like 'iptables -A INPUT -p tcp --dport 22 -j ACCEPT'. In firewalld, it is simply 'firewall-cmd --add-service=ssh'.
ufw is another firewall management tool common on Ubuntu/Debian. It is simpler than firewalld but less feature-rich. ufw does not use zones; it uses a single set of rules and supports application profiles. firewalld is more common in enterprise Red Hat-based distributions.
On Ubuntu, you might run 'ufw allow 22/tcp'. On RHEL, you run 'firewall-cmd --add-service=ssh'.
nftables is the modern packet filtering framework that replaces iptables. firewalld can use nftables as its backend. nftables is a low-level tool, while firewalld provides a higher-level interface using zones and services. You do not directly use nftables for basic firewall management in most exams.
To block traffic in nftables, you write a chain and rule. In firewalld, you simply change the default zone to 'drop'.
Step-by-Step Breakdown
Check Current Firewall Status
Run 'systemctl status firewalld' to ensure the daemon is running. If not, start it with 'systemctl start firewalld'. This is the first step in any firewall task because you cannot manage what is not running.
Identify Active Zone
Use 'firewall-cmd --get-active-zones' to list zones currently in use and their assigned interfaces. This tells you which zone is handling traffic for each network connection. Without this, you might apply rules to the wrong zone.
Check Current Rules in the Active Zone
Use 'firewall-cmd --list-all' to see services, ports, and rules in the default zone. To see a specific zone, use '--zone=public --list-all'. This reveals what is currently allowed or blocked and helps identify if a needed service is missing.
Add a Service or Port Rule
To allow a service like HTTP, run 'firewall-cmd --add-service=http'. For a custom port, run 'firewall-cmd --add-port=8080/tcp'. This opens the necessary incoming traffic. If you want the change to survive reboot, add the '--permanent' flag and then reload.
Make Rules Permanent
Run the same commands but with '--permanent'. For example: 'firewall-cmd --permanent --add-service=http'. Then reload the firewall with 'firewall-cmd --reload' to apply permanent rules to the runtime environment without reboot.
Test and Verify
From a client machine, try to connect to the service (e.g., use a browser for HTTP). Also verify with 'firewall-cmd --list-all' to confirm the rule appears. If it does not, repeat the steps. This step catches mistakes before they cause downtime.
Practical Mini-Lesson
In practical IT work, firewalld is not just about opening ports. It is about designing a security posture that balances accessibility with protection. When you first log into a new Linux server, the first thing you should do is check the firewall status and understand the current zone assignments.
Many administrators make the mistake of assuming the firewall is off because they can connect via SSH on a local network. But often the firewall is active and only allows SSH by default. To check all zones, use 'firewall-cmd --list-all-zones'.
This gives you a complete picture. One common task is creating a custom service. For example, if your organization uses an internal tool on port 54321/tcp, you can create a service definition file under /etc/firewalld/services/.
The file is an XML that defines the port and a description. Then you can add it using '--add-service=mytool'. This improves maintainability. Another important concept is rich rules.
Rich rules allow granular control based on source IP, logging, rate limiting, and even time-based access. For instance, to limit SSH connection attempts from a specific subnet to prevent brute force, you can create a rich rule with rate limit. The syntax is: 'firewall-cmd --add-rich-rule="rule family=ipv4 source address=192.
168.1.0/24 service name=ssh accept"'. This is more advanced but appears in higher-level exams like RHCE. In production, you also need to consider direct integration with NetworkManager.
When an interface reconnects, firewalld automatically applies the correct zone if configured. But if you manually changed the interface assignment only at runtime, that change is lost after a disconnect. Therefore, always use '--permanent' for interface-zone bindings.
Troubleshooting a firewall issue often involves checking the logs. Use 'journalctl -u firewalld' to see if the daemon has errors or if a rule is being denied. Also, you can enable logging via rich rules to capture denied packets.
Common errors include trying to add a service that does not exist, or forgetting that zones have a default policy. The public zone default policy is 'default: reject' or 'drop' depending on distribution, which means any traffic not explicitly allowed is blocked. Understanding this default behavior is crucial.
Finally, professionals should version-control firewall configuration files. The XML files in /etc/firewalld/ can be backed up and restored. This is essential for disaster recovery and change management.
Firewalld is powerful but requires systematic understanding of its abstraction layers to avoid common pitfalls.
Understanding firewalld Zones and Rule Management
Firewalld is a dynamic firewall management tool for Linux systems that uses the concept of zones to organize and apply network traffic rules. Unlike older iptables-based firewalls, firewalld provides a more flexible and service-oriented approach to network security. Zones represent a level of trust for network connections, with predefined sets of rules that can be customized.
Common zones include 'public' for untrusted networks, 'internal' for trusted LANs, and 'dmz' for demilitarized zones hosting public-facing services. Each zone can have rules for incoming traffic, outgoing traffic, and forwarding, along with service definitions and port configurations. Firewalld uses the firewalld daemon to manage firewall rules dynamically, meaning changes can be applied immediately without restarting the firewall and without disrupting existing connections.
This is a key advantage over iptables, which often requires a full rule reload. The core structure involves zones, services, ports, sources, and rich rules. Services simplify rule creation by referencing standard protocol and port pairs, such as ssh for TCP port 22.
Ports allow direct specification of protocols and port numbers. Sources let you define trusted IP addresses or subnets. Rich rules provide advanced capabilities like rate limiting, logging, and time-based rules.
The default zone is critical because any network interface not assigned to a specific zone automatically belongs to it. For exam purposes, understanding how to assign interfaces to zones, change the default zone, and list all zones is essential. Commands like firewall-cmd --get-default-zone, firewall-cmd --list-all-zones, and firewall-cmd --zone=public --change-interface=eth0 are commonly tested.
Firewalld also supports direct rules for iptables compatibility, but these should be used sparingly as they bypass zone logic. In certification exams, you might be asked to configure a server to allow HTTPS traffic only from a specific subnet. This involves creating a custom zone, setting the source, and adding the port or service.
The dynamic nature of firewalld means you can test rules in runtime mode before making them permanent. The distinction between runtime and permanent configuration is a frequent exam topic: runtime changes are lost on reboot unless committed with --permanent. Understanding how firewalld interacts with NetworkManager is also important, as NetworkManager can automatically apply zones to interfaces.
Overall, firewalld zones provide a straightforward way to segment network traffic and enforce security policies without complex iptables scripting.
Firewalld Service and Port Configuration for Exam Success
Firewalld simplifies firewall management by abstracting common network services into predefined service definitions. Each service file, located under /usr/lib/firewalld/services, contains the protocol and port number for that service, as well as optional descriptions and destination addresses. For example, the 'http' service opens TCP port 80, while 'https' opens TCP port 443.
This abstraction means you don't need to remember exact port numbers; you can simply add a service by name. However, exams often test your ability to work with custom ports, such as opening TCP port 8080 for a custom web application. This requires using the firewall-cmd --add-port command with the appropriate protocol, like --port=8080/tcp.
When you add a service or port, it affects only the current runtime configuration unless you include the --permanent flag. A common mistake is forgetting to make runtime changes permanent, which we see in many certification questions. Another frequent scenario is configuring a bastion host or jump box that needs SSH access from a specific IP range.
This combines service addition and source restriction: firewall-cmd --zone=internal --add-service=ssh --add-source=192.168.1.0/24. Rich rules can add further granularity, like logging dropped packets or limiting connection rates to prevent DoS attacks.
The rich rule syntax is XML-like: firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.0.0.0/8 port protocol=tcp port=3306 accept'. Exams may require constructing such rules.
You must know how to list all services, check which services are enabled in a zone, and remove services or ports. The commands firewall-cmd --list-services, firewall-cmd --list-ports, and firewall-cmd --list-rich-rules are essential. Understanding the concept of default services and how to create custom service files under /etc/firewalld/services can also appear in advanced exam scenarios.
For example, you might be asked to define a service for a proprietary application using TCP port 12345. You would need to create an XML file with the correct structure and then reload firewalld. Another important aspect is the difference between direct rules and service configuration.
Direct rules bypass zone logic and are often used for complex NAT or port forwarding, but they can be tricky to debug. In exam contexts, you should prefer zone-based configuration over direct rules. Finally, remember that firewalld services can include both TCP and UDP protocols, and some services like DNS require both.
The firewall-cmd command supports homogenous and heterogeneous zone configurations, and you should be comfortable switching between them. A solid grasp of service and port configuration is crucial for network security exams, as it demonstrates practical understanding of how to secure a Linux system.
Memory Tip
Remember the mnemonic 'P-R-T' for firewalld: Permanent changes need a Reload, and always Test after changes. This helps avoid the common mistake of forgetting the permanent flag.
Learn This Topic Fully
This glossary page explains what firewalld means. For a complete lesson with labs and practice, see the topic guide.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
200-301Cisco CCNA →XK0-006CompTIA Linux+ →N10-009CompTIA Network+ →220-1102CompTIA A+ Core 2 →SC-900SC-900 →CDLGoogle CDL →ISC2 CCISC2 CC →Legacy Exam Context
Older materials may mention these exam versions, but learners should use the current objectives for their target exam.
XK0-005XK0-006(current version)Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
An A record is a type of DNS resource record that maps a domain name to an IPv4 address.
An AAAA record is a DNS record that maps a domain name to an IPv6 address, allowing devices to find each other over the internet using the newer IP addressing system.
Quick Knowledge Check
1.Which command makes a firewalld change survive a system reboot?
2.What is the default zone for a newly added network interface in firewalld?
3.A service file in firewalld contains which information?
4.How do you add a custom port (TCP 8080) permanently to the internal zone?
5.What does the command 'firewall-cmd --reload' do?
Frequently Asked Questions
What is the difference between runtime and permanent configuration in firewalld?
Runtime configuration applies immediately but is lost after a reboot or service reload. Permanent configuration is saved to disk and persists across reboots. To make a runtime change permanent, you add the --permanent flag and then run firewall-cmd --reload.
How do I allow a port in firewalld?
Use the command 'firewall-cmd --add-port=port_number/protocol'. For example, 'firewall-cmd --add-port=8080/tcp'. To make it permanent, include --permanent and then reload.
How do I check which services are allowed in the current zone?
Use 'firewall-cmd --list-services' to see services allowed in the default zone. For a specific zone, use 'firewall-cmd --zone=public --list-services'.
What is the default zone in firewalld?
The default zone is typically 'public' in most distributions. It blocks most incoming traffic except for explicitly allowed services like SSH. You can check the default zone with 'firewall-cmd --get-default-zone'.
How do I set the default zone in firewalld?
Use 'firewall-cmd --set-default-zone=zone_name' to set the default zone. This change applies immediately and is permanent because it is a global setting.
Why do my firewall rules disappear after rebooting?
Because you did not make them permanent. Changes made without the --permanent flag are only applied to the runtime configuration. Always add --permanent and then reload to ensure rules survive reboots.
Summary
firewalld is a dynamic firewall management tool for Linux that provides a zone-based security model, making it easier to manage network traffic rules. It is the default firewall solution on RHEL, CentOS, and Fedora, making it essential knowledge for IT professionals pursuing certifications like RHCSA, RHCE, and CompTIA Linux+. Understanding its zones, services, and the distinction between runtime and permanent configurations is critical.
Many mistakes in exams and real-world scenarios stem from forgetting to make rules permanent or misassigning interfaces to zones. firewalld works by using the netfilter or nftables kernel framework but abstracts the complexity into easy-to-use commands like firewall-cmd. In exams, questions often test your ability to open ports or services, change zones, and troubleshoot connectivity issues.
Mastering firewalld will not only help you pass certification exams but also prepare you for real-world Linux system administration. It is a major topic with practical significance, so invest time in hands-on practice with the command line.