firewalld – firewall-cmd

Redhat and CentOS distros are using firewalld aka firewall-cmd as base firewall manager.

at first, you can check if the firewall is working or not

$ firewall-cmd --state

in firewalld you have two states: running or current configuration and permanent. some commands requires this switch. for example creating new zone

$ firewall-cmd --permanent 

firewall-cmd consists of several zones which any of them can contain several sources or you can connect each of these zones to interfaces.

you can get list of zones by:

$ firewall-cmd --get-zones

you can get the default zone by:

$ firewall-cmd --get-default-zone

also you can check what zones are active.this is very helpful when you have several zones and you want to know which zones are connected to sources, interfaces , etc

$ firewall-cmd --get-active-zones

creating new zone.

remember you have to add the –permanent switch in order to add a new zone. you can only create in permanent mode.

$ firewall-cmd --permanent --new-zone=my-custom-zone


you can add any interface in your network to zones.

you can get list of interfaces with:

$ ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000
    link/ether 00:11:22:99:88:55 brd ff:ff:ff:ff:ff:ff

and add to the zone

$ firewall-cmd --zone=public --add-interface=eno1


you can add several IP addresses to a zone like this:

$ firewall-cmd --zone=company --add-source=
# or
$ firewall-cmd --zone=another-zone --add-source=


you can add port to a zone so any requests comming to that zone will see this port open

$ firewall-cmd --zone=mongo-server --add-port=23070/tcp


you can decide which service are going to be connected through an specified zone.they are like presets so you don’t need to remember the port name for that service.

for example in order to let access to your MySql, you only have to add the mysql service to the zone and not the 3306 port itself.this is good specially when you are going to query several zones and seeing them by eyes and you can quickly know which zone allows what service, instead of thinking for a while to know what was that port number for 🙂

$ firewall-cmd --zone=company --add-source=mysql

or add several services

$ firewall-cmd --zone=company --add-source=mysql --add-source=ssh


if there is no saved service exist for your port or you are using an unusual port number, you can add by port number

and don’t forget, you have to specify the protocol

$ firewall-cmd --zone=company --add-port=1234/tcp


$ firewall-cmd --add-port=1234/tcp --add-port=4321/udp

Leave a Reply

Your email address will not be published. Required fields are marked *