How to Configure Firewalld (Basic Commands)

Installing Firewalld grants a long list of commands available for configuring iptables rules. But there are a few tasks you should understand to get started with securing your server.

Below we cover:

Firewalld is pre-installed with our Ubuntu Cloud Server Hosting.

Basic Firewalld Commands

Firewalld Status

These Systemd and Firewalld commands affect whether or how Firewalld is running on your system.

Start Firewalld for the current session:

sudo systemctl start firewalld

Enable Firewalld to always start at server boot:

sudo systemctl enable firewalld

Stop Firewalld for the current session:

sudo systemctl stop firewalld

Disable Firewalld from starting at boot:

sudo systemctl disable firewalld

Check whether Firewalld is running:

sudo systemctl status firewalld

Check the Firewalld state – similar to systemctl status:

sudo firewall-cmd --state

The output will be running or not running.

Runtime Firewalld Configuration to Permanent

  • Runtime changes are temporary and removed when the firewall restarts.
  • Permanent changes are stored in configuration files.

Save --runtime changes to your permanent configuration:

sudo firewall-cmd --runtime-to-permanent

Reload Firewalld

Reload Firewalld to merge --permanent rules to the runtime configuration (doesn’t close current connections):

Reloading will remove –runtime changes to apply the –permanent configuration.

sudo firewall-cmd --reload

Firewalld Zones

Firewalld zones are predefined whitelist combinations to easily apply to your system.

Default Firewalld zones:

block dmz drop external home internal public trusted work

View all Firewalld zones available:

sudo firewall-cmd --get-zones

You can also view the raw zone files:

ls /etc/firewalld/zone/

See currently used zones:

sudo firewall-cmd --get-active-zones

Change the current Firewalld zone (e.g. public):

sudo firewall-cmd --change-zone=public

To apply a change to a specific zone, add the following to the end of the command (e.g. public):

--zone=public

Manage Services

Predefined Firewalld services use a name in lieu of port number and protocol (TCP or UDP) for easier management.

List available services to whitelist:

sudo firewall-cmd --get-services

List currently whitelisted services:

sudo firewall-cmd --list-services

Whitelist a service for runtime only in the current zone (e.g. http):

sudo firewall-cmd --add-service=http

Whitelist a service permanently in the current zone:

sudo firewall-cmd --add-service=http --permanent

Whitelist a service permanently in a specific zone:

sudo firewall-cmd --zone=public --add-service=http --permanent

Remove a service permanently from a specific zone (e.g. dhcpv6-client):

sudo firewall-cmd --remove-service=dhcpv6-client --permanent

Manage Ports

Any ports not listed as a predefined service can be managed via port/protocol (e.g. 80/http).

List currently open ports:

sudo firewall-cmd --list-ports

List whitelisted ports on a specific zone:

sudo firewall-cmd --zone=public --list-ports

Open a port with a specified protocol in runtime only (e.g. Mattermost):

sudo firewall-cmd --add-port=8065/tcp

Open a port permanently:

sudo firewall-cmd --add-port=8065/tcp --permanent

Remove a port in runtime only:

sudo firewall-cmd --zone=public --remove-port=8065/tcp

Remove a port permanently:

sudo firewall-cmd --zone=public --remove-port=8065/tcp --permanent

Panic Mode

Panic mode closes and blocks all incoming and outgoing connections on the machine.

If you run this while remotely connected to a machine (e.g. SSH), your session will drop and you’ll have to restart the server to regain access and reset panic mode.

sudo firewall-cmd --panic-on

Check panic mode status:

sudo firewall-cmd --query-panic

It should simply state no.

Firewalld Files

View system configuration files which overwrite default configurations.

ls /etc/firewalld

View default IMCP, service, and zone configurations.

Changes to these files are overwritten during firewalld updates.

ls /usr/lib/Firewalld

Firewall-config Desktop Application

Users installing Firewalld on a Linux desktop environment can install the firewall-config GUI application to configure firewall zones on that machine.

Firewalld Firewall-config GUI application

Have any questions about Firewalld? Ask in our Community Support Center.

Was this article helpful? Let us know!