To set up FirewallD on a Linux server, install the firewalld package, enable and start the service, select a default zone, allow required services or ports, make rules permanent, and reload. Verify with firewall-cmd –list-all. This provides a stateful, zone-based firewall using nftables under the hood on most modern distributions.
If you’re wondering how to setup FirewallD on Linux server environments the right way, this guide walks you through a secure, beginner-friendly process with real-world examples. You’ll learn zones, runtime vs. permanent rules, opening ports safely, NAT/forwarding, logging, and best practices we use daily on production servers.
What Is FirewallD and Why Use It?
FirewallD is a dynamic, zone-based firewall management service that configures Linux kernel packet filters (nftables or iptables). It lets you change rules without dropping established connections and organizes rules by trust level (zones). Compared to static scripts, FirewallD is simpler, safer, and more adaptable to modern server workloads.
Prerequisites and Supported Distributions
You can run FirewallD on RHEL, AlmaLinux, Rocky Linux, CentOS Stream, Fedora, openSUSE, and Debian/Ubuntu. On Ubuntu, UFW is common; you can use FirewallD instead (don’t run both). You’ll need:
- Root or sudo access
- SSH access to the server
- Package manager connectivity (dnf/yum/apt)
- List of ports/services your applications require
Install FirewallD
Use your system’s package manager to install firewalld and its CLI tool firewall-cmd.
# RHEL 8/9, AlmaLinux, Rocky, CentOS Stream, Fedora
sudo dnf install -y firewalld
# Older RHEL/CentOS
sudo yum install -y firewalld
# Debian/Ubuntu
sudo apt update
sudo apt install -y firewalldOn Ubuntu, disable UFW first to avoid conflicts:
sudo ufw disableEnable and Start the Service
sudo systemctl enable --now firewalld
sudo systemctl status firewalld
firewall-cmd --state # should show "running"Tip: Take a quick backup of your configuration before major changes:
sudo cp -a /etc/firewalld /root/firewalld-backup-$(date +%F)Understand Zones and Runtime vs Permanent
Zones define trust levels. Common ones are public (default), home, work, internal, trusted, and drop. Assign interfaces or source networks to a zone, then add allowed services/ports within that zone.
- Runtime rules: Active immediately but lost after reboot/restart.
- Permanent rules: Persist across restarts. Run “–permanent” and then reload.
# Show default zone and active zones
firewall-cmd --get-default-zone
firewall-cmd --get-active-zones
# Set default zone (typical)
sudo firewall-cmd --set-default-zone=public
# Assign interface to zone (replace eth0)
sudo firewall-cmd --zone=public --add-interface=eth0
sudo firewall-cmd --zone=public --permanent --add-interface=eth0
sudo firewall-cmd --reloadQuick Start: Open Essential Services Safely
Always ensure SSH stays open to avoid lockout. Then allow your web stack (HTTP/HTTPS) and anything else your application needs.
# Allow SSH, HTTP, HTTPS on default zone (runtime)
sudo firewall-cmd --add-service=ssh
sudo firewall-cmd --add-service=http
sudo firewall-cmd --add-service=https
# Make it permanent and reload
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reloadAllow by Service vs. Port
Prefer services (they track port/protocol changes via definitions) but ports are fine for custom apps.
# Service-based (preferred)
sudo firewall-cmd --permanent --add-service=mysql
# Port-based (example custom TCP 8080)
sudo firewall-cmd --permanent --add-port=8080/tcp
sudo firewall-cmd --reloadSet a Stricter Default Zone (Optional)
For hardened hosts, consider “drop” as the default and explicitly allow traffic only where needed. Just confirm SSH access first.
# Harden default stance
sudo firewall-cmd --set-default-zone=drop
sudo firewall-cmd --permanent --set-default-zone=drop
sudo firewall-cmd --reload
# Then explicitly allow SSH to prevent lockout
sudo firewall-cmd --permanent --zone=drop --add-service=ssh
sudo firewall-cmd --reloadCommon FirewallD Configurations
Allow Only a Specific Source IP (Whitelisting)
Use rich rules to restrict access (great for admin panels or databases).
# Allow SSH only from 203.0.113.10
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="203.0.113.10" service name="ssh" accept'
sudo firewall-cmd --reloadPort Ranges and Protocols
# Open TCP ports 3000-3010
sudo firewall-cmd --permanent --add-port=3000-3010/tcp
sudo firewall-cmd --reloadMasquerading and Port Forwarding (NAT)
For NAT gateways or containers behind a host, enable masquerade and optionally forward ports.
# Enable masquerading on public zone
sudo firewall-cmd --zone=public --permanent --add-masquerade
# Forward TCP 8080 on the host to 192.168.1.10:80
sudo firewall-cmd --zone=public --permanent \
--add-forward-port=port=8080:proto=tcp:toaddr=192.168.1.10:toport=80
sudo firewall-cmd --reloadEnsure your server’s routing and IP forwarding are configured if acting as a gateway.
Control ICMP (Ping) and Diagnostics
# Block ping requests
sudo firewall-cmd --permanent --add-icmp-block=echo-request
sudo firewall-cmd --reload
# Re-allow ping
sudo firewall-cmd --permanent --remove-icmp-block=echo-request
sudo firewall-cmd --reloadPanic Mode and Lockdown (Use with Care)
Panic mode drops all incoming and outgoing packets; lockdown restricts which local processes can adjust FirewallD. Use only when you know the impact.
# Panic
sudo firewall-cmd --panic-on
sudo firewall-cmd --panic-off
# Lockdown
sudo firewall-cmd --lockdown-on
sudo firewall-cmd --lockdown-offVerify and Test Your Rules
# Inspect active zone and rules
firewall-cmd --list-all
firewall-cmd --zone=public --list-all
# List services and ports specifically
firewall-cmd --list-services
firewall-cmd --list-ports
# Show all available services and details
firewall-cmd --get-services
firewall-cmd --info-service=httpFrom a remote machine, test connectivity with curl, nc (netcat), or nmap. Always validate both IPv4 and IPv6 if your server has dual-stack networking.
Logging and Auditing
Enable logging for denied packets during hardening or incident response.
# Enable runtime logging of denied packets
sudo firewall-cmd --set-log-denied=all
# Make it persistent (supported on modern versions)
sudo firewall-cmd --permanent --set-log-denied=all
sudo firewall-cmd --reload
# View logs
sudo journalctl -u firewalld -e
sudo journalctl -k | grep -i 'denied'Security Best Practices We Use in Production
- Least privilege: Open only the ports you need; prefer service definitions.
- Restrict admin access: Whitelist SSH to office/VPN IPs; consider a non-standard SSH port plus key-based auth.
- Separate zones: Put public NICs in public; private subnets in internal/home zones.
- Dual-stack awareness: Mirror IPv4 rules for IPv6 or explicitly control IPv6 exposure.
- Permanent + reload: After testing runtime, make rules permanent and reload instead of restarting.
- Change control: Backup configs and document rule changes for audits.
- Layered security: Complement FirewallD with Fail2ban, SELinux, and WAF/CDN where appropriate.
Troubleshooting Checklist
- Is Firewalld running? firewall-cmd –state
- Any syntax errors? firewall-cmd –check-config
- What’s active? firewall-cmd –get-active-zones and –list-all
- Service up and listening? ss -tulpn | grep :PORT
- Backend rules applied? sudo nft list ruleset | less
- Logs show denials? journalctl -u firewalld -e
- Other firewall conflicts? Ensure UFW/other tools are disabled.
Automation and Persistence Tips
- Always apply changes with –permanent and then run sudo firewall-cmd –reload.
- Use Ansible or scripts for reproducible environments (e.g., ansible.posix.firewalld module).
- For interface-to-zone persistence, set both runtime and permanent, then reload.
FirewallD vs. UFW vs. Raw nftables
- FirewallD: Best for RHEL/Fedora ecosystems; dynamic, zone-based, integrates with services.
- UFW: Simple on Ubuntu; great for basic allow/deny scenarios.
- nftables directly: Maximum control and performance; steeper learning curve.
When Managed Help Makes Sense
If you prefer a hands-off setup, managed VPS and dedicated servers from YouStable include production-ready firewall baselines, monitoring, and quick remediation. That means fewer outages and faster rollouts when you need new ports or secure staging environments.
FAQs: FirewallD on Linux Server
How do I permanently open a port in FirewallD?
Use the –permanent flag and reload. Example: sudo firewall-cmd –permanent –add-port=9090/tcp && sudo firewall-cmd –reload. Prefer service names when available, such as sudo firewall-cmd –permanent –add-service=http.
What’s the difference between runtime and permanent rules?
Runtime rules apply immediately but disappear after a restart. Permanent rules survive restarts. After adding permanent rules, run sudo firewall-cmd –reload to activate them without dropping existing connections.
How do I see which zone my interface uses?
Run firewall-cmd –get-active-zones. To assign an interface, use sudo firewall-cmd –zone=public –add-interface=eth0 and make it permanent with –permanent followed by sudo firewall-cmd –reload.
Can I use FirewallD on Ubuntu instead of UFW?
Yes. Install with sudo apt install firewalld, disable UFW with sudo ufw disable, then enable firewalld (sudo systemctl enable –now firewalld). Avoid running both tools at the same time to prevent conflicts.
How do I log blocked packets?
Enable denied logging with sudo firewall-cmd –set-log-denied=all and, on supported versions, make it persistent using –permanent. View events in sudo journalctl -u firewalld or kernel logs with sudo journalctl -k.
Final Thoughts
Learning FirewallD once pays off for every Linux server you manage. Start with a safe default zone, open only what you need, make changes permanent, and verify rigorously. With these steps and examples, you can confidently deploy, scale, and secure your workloads on day one.
