firewall-cmd Command
Intermediate Firewall & Security man(1)firewalld command line client (RHEL/CentOS)
👁 12 views
📅 Updated: Mar 15, 2026
SYNTAX
firewall-cmd [OPTION]...
What Does firewall-cmd Do?
firewall-cmd is the command-line client for firewalld, the default firewall management tool on RHEL, CentOS, and Fedora systems. It uses zones and services for organized rule management.
firewalld operates with zones (trusted, public, internal, etc.) that define trust levels for network connections. Services are pre-defined port/protocol combinations (http, ssh, mysql) for easy rule management.
Changes can be temporary (runtime) or permanent. Runtime changes take effect immediately but are lost on reload. Permanent changes require --reload to take effect.
firewalld operates with zones (trusted, public, internal, etc.) that define trust levels for network connections. Services are pre-defined port/protocol combinations (http, ssh, mysql) for easy rule management.
Changes can be temporary (runtime) or permanent. Runtime changes take effect immediately but are lost on reload. Permanent changes require --reload to take effect.
Options & Flags
| Option | Description | Example |
|---|---|---|
| --state | Check if firewalld is running | firewall-cmd --state |
| --list-all | List all rules for default zone | firewall-cmd --list-all |
| --add-service | Allow a service | firewall-cmd --permanent --add-service=http |
| --add-port | Allow a port | firewall-cmd --permanent --add-port=3000/tcp |
| --remove-service | Remove a service | firewall-cmd --permanent --remove-service=http |
| --reload | Reload to apply permanent changes | firewall-cmd --reload |
| --permanent | Make change persistent | firewall-cmd --permanent --add-service=https |
Practical Examples
#1 Check status
Shows if firewalld is running.
$ sudo firewall-cmd --state
Output:
running
#2 List all rules
Shows all rules for the default zone.
$ sudo firewall-cmd --list-all
Output:
public (active)
services: ssh dhcpv6-client http https
#3 Allow HTTP/HTTPS
Permanently allows web traffic and reloads.
$ sudo firewall-cmd --permanent --add-service=http && sudo firewall-cmd --permanent --add-service=https && sudo firewall-cmd --reload#4 Allow custom port
Opens port 8080 permanently.
$ sudo firewall-cmd --permanent --add-port=8080/tcp && sudo firewall-cmd --reload#5 Allow from specific IP
Allows MySQL access from a specific network.
$ sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.0.0.0/24" port port="3306" protocol="tcp" accept'#6 List available services
Shows all pre-defined service names you can use.
$ firewall-cmd --get-servicesTips & Best Practices
--permanent + --reload: Changes without --permanent are temporary. Always add --permanent for persistent rules, then --reload to apply.
Use services over ports: firewall-cmd --add-service=http is more readable and maintainable than --add-port=80/tcp.
Zones: firewall-cmd --get-zones lists available zones. --zone=trusted is fully open. --zone=public is default (restrictive).
Frequently Asked Questions
How do I open a port?
sudo firewall-cmd --permanent --add-port=PORT/tcp && sudo firewall-cmd --reload.
How do I allow a service?
sudo firewall-cmd --permanent --add-service=SERVICE && sudo firewall-cmd --reload. Check --get-services for available names.
How is this different from ufw?
firewall-cmd uses firewalld (RHEL/CentOS). ufw uses iptables (Ubuntu). Both are frontends for kernel packet filtering.
Related Commands
More Firewall & Security Commands
Master Linux with Professional eBooks
Curated IT eBooks covering Linux, DevOps, Cloud, and more
Browse Books →