Firewall-cmd Commands

Firewalld firewall-cmd commands for RHEL/CentOS/Fedora firewall management.

Basic Operations

firewall-cmd --state

Check if firewalld is running

firewall-cmd --get-active-zones

List active zones

firewall-cmd --get-default-zone

Show default zone

firewall-cmd --list-all

List all settings for default zone

firewall-cmd --list-all-zones

List all settings for all zones

firewall-cmd --reload

Reload firewall rules

firewall-cmd --complete-reload

Complete reload (drops connections)

systemctl start firewalld

Start firewalld service

systemctl stop firewalld

Stop firewalld service

systemctl enable firewalld

Enable firewalld at boot

systemctl disable firewalld

Disable firewalld at boot

Zone Management

firewall-cmd --get-zones

List all available zones

firewall-cmd --set-default-zone=public

Set default zone to public

firewall-cmd --zone=public --list-all

List all settings for public zone

firewall-cmd --get-zone-of-interface=eth0

Get zone of interface

firewall-cmd --zone=public --add-interface=eth0

Add interface to zone

firewall-cmd --zone=public --change-interface=eth0

Change interface zone

firewall-cmd --zone=public --remove-interface=eth0

Remove interface from zone

firewall-cmd --new-zone=custom --permanent

Create new zone

firewall-cmd --delete-zone=custom --permanent

Delete zone

Service Management

firewall-cmd --get-services

List all available services

firewall-cmd --list-services

List enabled services in default zone

firewall-cmd --zone=public --list-services

List services in specific zone

firewall-cmd --add-service=http

Add HTTP service (temporary)

firewall-cmd --add-service=http --permanent

Add HTTP service (permanent)

firewall-cmd --remove-service=http

Remove HTTP service (temporary)

firewall-cmd --remove-service=http --permanent

Remove HTTP service (permanent)

firewall-cmd --zone=public --add-service=https --permanent

Add HTTPS to public zone

firewall-cmd --info-service=ssh

Show service information

Port Management

firewall-cmd --list-ports

List open ports in default zone

firewall-cmd --add-port=8080/tcp

Open TCP port 8080 (temporary)

firewall-cmd --add-port=8080/tcp --permanent

Open TCP port 8080 (permanent)

firewall-cmd --add-port=5000-5100/tcp --permanent

Open TCP port range

firewall-cmd --remove-port=8080/tcp

Close TCP port 8080 (temporary)

firewall-cmd --remove-port=8080/tcp --permanent

Close TCP port 8080 (permanent)

firewall-cmd --zone=public --add-port=443/tcp --permanent

Open port in specific zone

firewall-cmd --add-port=53/udp --permanent

Open UDP port 53 (DNS)

Rich Rules

firewall-cmd --list-rich-rules

List all rich rules

firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" accept'

Accept from subnet

firewall-cmd --add-rich-rule='rule family="ipv4" source address="10.0.0.1" reject'

Reject specific IP

firewall-cmd --add-rich-rule='rule service name="ssh" accept' --permanent

Accept SSH service

firewall-cmd --add-rich-rule='rule port port="8080" protocol="tcp" accept'

Accept TCP port 8080

firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.1.100" port port="22" protocol="tcp" accept'

Accept SSH from specific IP

firewall-cmd --remove-rich-rule='rule family="ipv4" source address="10.0.0.1" reject'

Remove rich rule

Source Management

firewall-cmd --list-sources

List source addresses

firewall-cmd --add-source=192.168.1.0/24

Add source subnet

firewall-cmd --add-source=192.168.1.0/24 --permanent

Add source subnet (permanent)

firewall-cmd --remove-source=192.168.1.0/24

Remove source subnet

firewall-cmd --zone=trusted --add-source=10.0.0.0/8 --permanent

Add source to trusted zone

firewall-cmd --get-zone-of-source=192.168.1.100

Get zone of source IP

Port Forwarding

firewall-cmd --list-forward-ports

List port forwarding rules

firewall-cmd --add-forward-port=port=80:proto=tcp:toport=8080

Forward port 80 to 8080

firewall-cmd --add-forward-port=port=80:proto=tcp:toport=8080:toaddr=192.168.1.100

Forward to different host

firewall-cmd --remove-forward-port=port=80:proto=tcp:toport=8080

Remove port forward

firewall-cmd --add-masquerade

Enable masquerading (NAT)

firewall-cmd --remove-masquerade

Disable masquerading

firewall-cmd --query-masquerade

Check if masquerading is enabled

ICMP Management

firewall-cmd --get-icmptypes

List available ICMP types

firewall-cmd --list-icmp-blocks

List blocked ICMP types

firewall-cmd --add-icmp-block=echo-request

Block ping requests

firewall-cmd --add-icmp-block=echo-request --permanent

Block ping (permanent)

firewall-cmd --remove-icmp-block=echo-request

Unblock ping requests

firewall-cmd --add-icmp-block-inversion

Invert ICMP block (allow only listed)

Direct Rules

firewall-cmd --direct --get-all-rules

List all direct rules

firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 9000 -j ACCEPT

Add direct iptables rule

firewall-cmd --direct --remove-rule ipv4 filter INPUT 0 -p tcp --dport 9000 -j ACCEPT

Remove direct rule

firewall-cmd --direct --add-chain ipv4 filter CUSTOM_CHAIN

Add custom chain

firewall-cmd --direct --get-chains ipv4 filter

List chains

Panic Mode

firewall-cmd --panic-on

Enable panic mode (drop all traffic)

firewall-cmd --panic-off

Disable panic mode

firewall-cmd --query-panic

Check if panic mode is enabled

Lockdown

firewall-cmd --lockdown-on

Enable lockdown mode

firewall-cmd --lockdown-off

Disable lockdown mode

firewall-cmd --query-lockdown

Check lockdown status

Configuration Files

ls /etc/firewalld/zones/

List zone configuration files

ls /etc/firewalld/services/

List service configuration files

cat /etc/firewalld/firewalld.conf

View main configuration

firewall-cmd --runtime-to-permanent

Make runtime config permanent

firewall-cmd --permanent --list-all

Show permanent configuration

© 2026 CHAI WEN TAH
Last build: Jan 13, 2026