Firewall on Redhat Linux 7 onwards — firewalld, firewall-cmd

With Redhat Linux 7’s moving to systemd, not only has the init system been replaced, but other daemons and their utilities have been replaced such as systemd-journald(for event logging), systemd-logind, systemmd-undevd.

firewalld has been introduced to replace iptables for managing firewall. It is a service daemon with D-Bus interface.

firewalld supports a separation of runtime and permanent configuration. Changes can be done immediately in the runtime environment. No restart of the service or daemon is needed. The runtime configuration is only valid up to the next service reload and restart or to a system reboot. Then the permanent configuration will be loaded again.

With the runtime environment it is possible to use runtime for settings that should only be active for a limited amount of time. If the runtime configuration has been used for evaluation, and it is complete and working, then it is possible to save this configuration to the permanent environment.

Below is the firwalld structure:


Location of firewalld configuration file which contains the basic configuration.


Other important directories and files:

  • /etc/firewalld/lockdown-whitelist.xml
  • /etc/firewalld/zones/.xml

Here are some frequent used commands to manage firewalld:

  1. disable/enable firewalld
systemctl enable firewalld
systemctl disable firewalld

2. manual start/stop firewalld

systemctl stop firewalld
systemctl start firewalld
systemctl restart firewalld

3. check firewalld status

systemctl status firewalld

firewall-cmd --state

4. check default & active firewalld zone.

firewall-cmd --get-default-zone

firewall-cmd --get-active-zones

5. list everything enabled in the default zone. Using “–zone=<zonename>” to specify a non-default zone.

firewall-cmd --list-all

firewall-cmd --zone=<zonename> --list-all

firewall-cmd --info-zone=<zonename>

6. list all ports opened

firewall-cmd --list-ports

7. reload configuration so that permanent configuration becomes the runtime configuration. The difference between reload and complete-reload is that complete-reload includes netfilter kernel modules which likely will terminate active connections.

firewall-cmd --reload
firewall-cmd --complete-reload

8. add a tcp port in the runtime configuration. Using “–permanent” to modify the permanent configuration. A restart/reload is needed to make changes effective.

firewall-cmd --zone=<zonename> --add-port=11117/tcp
firewall-cmd --remove-port=11117/tcp

9. whitelist an IP or a range of IP or remove an IP from the whitelist

firewall-cmd --permanent --add-source=
firewall-cmd --permanent --add-source=

firewall-cmd --permanent --remove-source=

10. add or remove a service

firewall-cmd --permanent --add-service=ssh
firewall-cmd --permanent --remove-service=ssh

If you want to see what you can do with firewall-cmd, don’t forget to check the man page of firewall-cmd. Lots of advanced options/usage listed there.

One thought on “Firewall on Redhat Linux 7 onwards — firewalld, firewall-cmd

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s