{"id":12513,"date":"2025-12-20T12:49:30","date_gmt":"2025-12-20T07:19:30","guid":{"rendered":"https:\/\/www.youstable.com\/blog\/?p=12513"},"modified":"2025-12-20T12:49:43","modified_gmt":"2025-12-20T07:19:43","slug":"install-firewalld-on-linux","status":"publish","type":"post","link":"https:\/\/www.youstable.com\/blog\/install-firewalld-on-linux","title":{"rendered":"How to Install FirewallD on Linux Server (2026 Step-by-Step Guide)"},"content":{"rendered":"\n

To install FirewallD on a Linux server<\/strong>, update your packages, install the firewalld package (dnf\/yum\/apt\/zypper), enable and start the service with systemctl, then open required ports via firewall-cmd. Always allow SSH before applying changes to avoid lockouts. Verify with firewall-cmd –state and persist rules using the –permanent flag.<\/p>\n\n\n\n

Looking to install FirewallD on Linux Server the right way? This guide walks you through secure installation, configuration, and best practices across RHEL, CentOS, AlmaLinux, Rocky Linux, Fedora, Debian, Ubuntu, and openSUSE. As a senior technical writer at YouStable, I\u2019ll keep things clear, accurate, and beginner-friendly while emphasizing real-world hosting considerations.<\/p>\n\n\n\n

What is FirewallD and Why Use it?<\/strong><\/h2>\n\n\n\n

FirewallD is a dynamic firewall manager for<\/strong> Linux that uses zones and services to control network traffic without dropping active connections. It provides an easy CLI (firewall-cmd) and XML-defined services, and on modern distributions it leverages nftables under the hood. It\u2019s the default firewall on RHEL-family systems and a solid choice on Debian\/Ubuntu.<\/p>\n\n\n\n

\"What<\/figure>\n\n\n\n

Key benefits include live rule updates, zone-based security per interface, predefined services (like ssh, http, https), rich rules for granular policies, and built-in NAT\/masquerading for routing scenarios.<\/p>\n\n\n\n

Prerequisites and Safety Checks<\/strong><\/h2>\n\n\n\n
    \n
  • Access<\/strong>: SSH or console access with sudo\/root privileges.<\/li>\n\n\n\n
  • OS support<\/strong>: RHEL\/CentOS\/AlmaLinux\/Rocky\/Fedora, Debian\/Ubuntu, openSUSE.<\/li>\n\n\n\n
  • Avoid conflicts<\/strong>: Do not run multiple firewalls. Disable UFW or iptables-services if using FirewallD.<\/li>\n\n\n\n
  • Cloud rules<\/strong>: If you\u2019re on AWS, GCP, Azure, or a VPS, ensure security groups\/firewall policies also allow required ports.<\/li>\n\n\n\n
  • Prevent lockouts<\/strong>: Allow SSH before<\/em> enabling and reloading rules.<\/li>\n<\/ul>\n\n\n\n
    # Check whether firewalld is installed and running\nfirewall-cmd --state 2>\/dev\/null || echo \"not running\"\n\n# Check if another firewall is active\nsystemctl is-active ufw\nsystemctl is-active iptables\n<\/code><\/pre>\n\n\n\n
    Install FirewallD on RHEL, CentOS, AlmaLinux, Rocky Linux, Fedora<\/strong><\/h2>\n\n\n\n
    On RHEL-family systems, FirewallD is often installed by default. If not, install it with your package manager and enable it at boot.<\/p>\n\n\n\n
    # RHEL 8\/9, AlmaLinux, Rocky Linux, CentOS Stream, Fedora\nsudo dnf install -y firewalld\n\n# RHEL\/CentOS 7\nsudo yum install -y firewalld\n\n# Enable and start\nsudo systemctl enable --now firewalld\n\n# Verify\nsudo firewall-cmd --state\nsudo systemctl status firewalld --no-pager\n<\/code><\/pre>\n\n\n\n
    Install FirewallD on Ubuntu and Debian<\/strong><\/h2>\n\n\n\n
    Ubuntu and Debian typically ship with UFW. If you choose FirewallD, disable UFW to prevent conflicts.<\/p>\n\n\n\n
    # Disable and remove UFW if present\nsudo systemctl stop ufw\nsudo ufw disable || true\nsudo apt remove -y ufw\n\n# Install firewalld\nsudo apt update\nsudo apt install -y firewalld\n\n# Enable and start\nsudo systemctl enable --now firewalld\n\n# Verify\nsudo firewall-cmd --state\n<\/code><\/pre>\n\n\n\n
    Install FirewallD on openSUSE\/SUSE<\/strong><\/h2>\n\n\n\n
    sudo zypper install -y firewalld\nsudo systemctl enable --now firewalld\nsudo firewall-cmd --state\n<\/code><\/pre>\n\n\n\n
    Quick-Start: Allow SSH and Essential Services<\/strong><\/h2>\n\n\n\n
    Before making any other changes, make sure SSH is allowed so you don\u2019t lose access. Then open HTTP\/HTTPS or any application ports you need.<\/p>\n\n\n\n
    # See the default zone\nsudo firewall-cmd --get-default-zone\n\n# Allow SSH, HTTP, and HTTPS temporarily (runtime)\nsudo firewall-cmd --add-service=ssh\nsudo firewall-cmd --add-service=http\nsudo firewall-cmd --add-service=https\n\n# Make rules permanent and reload to apply persistently\nsudo firewall-cmd --permanent --add-service=ssh\nsudo firewall-cmd --permanent --add-service=http\nsudo firewall-cmd --permanent --add-service=https\nsudo firewall-cmd --reload\n\n# Verify services open in the default zone\nsudo firewall-cmd --list-services\nsudo firewall-cmd --list-all\n<\/code><\/pre>\n\n\n\n
    FirewallD Concepts: Zones, Services, and Runtime vs Permanent<\/strong><\/h2>\n\n\n\n
    FirewallD groups rules into zones<\/strong> that you bind to network interfaces or sources. Services are predefined rule sets (ports, protocols) that simplify allowing common applications. Changes can be applied to the running config (runtime) and\/or saved (permanent) for persistence.<\/p>\n\n\n\n
    Common Zones and When to Use Them<\/strong><\/h2>\n\n\n\n
      \n
    • Public<\/strong>: Default for internet-facing servers; moderately restrictive.<\/li>\n\n\n\n
    • External<\/strong>: For NAT gateways; masquerading typically enabled.<\/li>\n\n\n\n
    • Internal\/home\/work<\/strong>: For trusted LAN segments.<\/li>\n\n\n\n
    • Trusted<\/strong>: Allows all traffic; use sparingly.<\/li>\n<\/ul>\n\n\n\n
      # List zones and active zone(s)\nsudo firewall-cmd --get-zones\nsudo firewall-cmd --get-active-zones\n\n# Set default zone\nsudo firewall-cmd --set-default-zone=public\n\n# Bind an interface to a zone (persistently)\nsudo firewall-cmd --permanent --zone=public --change-interface=eth0\nsudo firewall-cmd --reload\n<\/code><\/pre>\n\n\n\n
      Open Ports and Services Safely<\/strong><\/h2>\n\n\n\n
      Prefer services when available; otherwise, open ports explicitly. Always commit permanent rules and reload after testing.<\/p>\n\n\n\n
      # Discover available services\nsudo firewall-cmd --get-services\n\n# Allow a service in a specific zone\nsudo firewall-cmd --permanent --zone=public --add-service=http\nsudo firewall-cmd --permanent --zone=public --add-service=https\n\n# Open single ports\nsudo firewall-cmd --permanent --zone=public --add-port=8080\/tcp\nsudo firewall-cmd --permanent --zone=public --add-port=53\/udp\n\n# Open a port range\nsudo firewall-cmd --permanent --zone=public --add-port=3000-3010\/tcp\n\n# Apply changes\nsudo firewall-cmd --reload\n<\/code><\/pre>\n\n\n\n
      Rich Rules: Granular Access Controls<\/strong><\/h2>\n\n\n\n
      Rich rules provide fine-grained policies such as allowing a service from a specific source, rate limiting, or logging. Use them for targeted allowances or blocks.<\/p>\n\n\n\n
      # Allow SSH only from a management IP\nsudo firewall-cmd --permanent --zone=public \\\n  --add-rich-rule='rule family=\"ipv4\" source address=\"203.0.113.10\" service name=\"ssh\" accept'\n\n# Block a hostile IP\nsudo firewall-cmd --permanent --zone=public \\\n  --add-rich-rule='rule family=\"ipv4\" source address=\"198.51.100.23\" drop'\n\n# Allow a TCP port from a specific subnet\nsudo firewall-cmd --permanent --zone=public \\\n  --add-rich-rule='rule family=\"ipv4\" source address=\"10.0.0.0\/24\" port protocol=\"tcp\" port=\"5432\" accept'\n\nsudo firewall-cmd --reload\n<\/code><\/pre>\n\n\n\n
      NAT, Masquerading, and Port Forwarding<\/strong><\/h2>\n\n\n\n
      If your server routes traffic for other hosts, enable masquerading and configure forward rules. This is common for gateways, VPN endpoints, or homelabs.<\/p>\n\n\n\n
      # Enable NAT (masquerading) in the zone that faces the internet\nsudo firewall-cmd --permanent --zone=external --add-masquerade\n\n# Forward external:80 to an internal host 192.168.1.10:8080\nsudo firewall-cmd --permanent --zone=external \\\n  --add-forward-port=port=80:proto=tcp:toaddr=192.168.1.10:toport=8080\n\nsudo firewall-cmd --reload\n\n# Verify forwarding and masquerade settings\nsudo firewall-cmd --zone=external --list-all\n<\/code><\/pre>\n\n\n\n
      Testing, Logging, and Troubleshooting<\/strong><\/h2>\n\n\n\n
        \n
      • List rules<\/strong>: firewall-cmd –list-all or –list-all-zones<\/li>\n\n\n\n
      • Check configuration<\/strong>: firewall-cmd –check-config<\/li>\n\n\n\n
      • Service state<\/strong>: systemctl status firewalld<\/li>\n\n\n\n
      • Logs<\/strong>: journalctl -u firewalld; enable deny logs with set-log-denied<\/li>\n\n\n\n
      • Backend info<\/strong>: firewall-cmd –info-backend (nftables on modern distros)<\/li>\n<\/ul>\n\n\n\n
        # Enable logging of denied packets\nsudo firewall-cmd --set-log-denied=all\n# Inspect logs\nsudo journalctl -u firewalld --since \"15 min ago\" --no-pager\n\n# Show everything in the active zone\nsudo firewall-cmd --list-all\n\n# Reset to distribution defaults (use with caution)\nsudo firewall-cmd --permanent --reset-default-zone\nsudo firewall-cmd --reload\n<\/code><\/pre>\n\n\n\n
        Best Practices for Production Servers<\/strong><\/h2>\n\n\n\n
          \n
        • Principle of least privilege<\/strong>: Only open what you truly need.<\/li>\n\n\n\n
        • Lock SSH by source<\/strong>: Restrict SSH to your office\/VPN IPs when possible.<\/li>\n\n\n\n
        • Use services, not ports<\/strong>: Services auto-track protocol\/port combos.<\/li>\n\n\n\n
        • Separate zones<\/strong>: Bind public interfaces to public\/external; LAN to internal.<\/li>\n\n\n\n
        • Document changes<\/strong>: Keep a change log; use version-controlled scripts.<\/li>\n\n\n\n
        • Monitor logs<\/strong>: Turn on log-denied temporarily during audits; turn off if too noisy.<\/li>\n\n\n\n
        • Automate<\/strong>: Apply reproducible rules via Ansible or cloud-init.<\/li>\n<\/ul>\n\n\n\n
          FirewallD vs UFW vs iptables\/nftables: Which Should You Use?<\/strong><\/h2>\n\n\n\n
            \n
          • FirewallD<\/strong>: Dynamic, zone-based, service-aware; default on RHEL-family, great for servers with changing rules.<\/li>\n\n\n\n
          • UFW<\/strong>: Simple and user-friendly on Ubuntu; fine for basic setups, fewer advanced constructs out-of-the-box.<\/li>\n\n\n\n
          • iptables\/nftables directly<\/strong>: Maximum control; steeper learning curve. FirewallD uses nftables backend on modern distros, offering a higher-level interface.<\/li>\n<\/ul>\n\n\n\n
            Common Pitfalls and How to Avoid Them<\/strong><\/h2>\n\n\n\n
              \n
            • Locking yourself out<\/strong>: Always allow SSH first and keep a console session open while testing.<\/li>\n\n\n\n
            • Running multiple firewalls<\/strong>: Disable UFW or iptables-services when using FirewallD.<\/li>\n\n\n\n
            • Forgetting to reload<\/strong>: Permanent rules need a reload to take effect.<\/li>\n\n\n\n
            • Cloud firewall mismatch<\/strong>: Open ports in both FirewallD and your cloud security group.<\/li>\n\n\n\n
            • Docker\/Kubernetes interactions<\/strong>: Containers manage their own rules; avoid over-restricting docker0\/cni0 unless you know the networking model.<\/li>\n<\/ul>\n\n\n\n
              Real-World Example: LAMP Server Hardened with FirewallD<\/strong><\/h2>\n\n\n\n
              Here\u2019s a compact sequence we use on production web servers to expose only what\u2019s required and keep SSH locked down to a bastion host.<\/p>\n\n\n\n
              # Assume eth0 is public; set public as default zone\nsudo firewall-cmd --set-default-zone=public\nsudo firewall-cmd --permanent --zone=public --change-interface=eth0\n\n# Allow SSH only from bastion IP\nsudo firewall-cmd --permanent --zone=public \\\n  --add-rich-rule='rule family=\"ipv4\" source address=\"203.0.113.50\" service name=\"ssh\" accept'\n\n# Allow HTTP\/HTTPS for the website\nsudo firewall-cmd --permanent --zone=public --add-service=http\nsudo firewall-cmd --permanent --zone=public --add-service=https\n\n# Optionally, allow MySQL only from app subnet\nsudo firewall-cmd --permanent --zone=public \\\n  --add-rich-rule='rule family=\"ipv4\" source address=\"10.2.0.0\/24\" port protocol=\"tcp\" port=\"3306\" accept'\n\nsudo firewall-cmd --reload\nsudo firewall-cmd --list-all\n<\/code><\/pre>\n\n\n\n
              If you prefer a managed experience, YouStable\u2019s managed VPS and dedicated servers ship with secure firewall policies, 24\u00d77 monitoring, and hands-on help tuning FirewallD for your stack.<\/p>\n\n\n\n
              FAQ: Install FirewallD on Linux Server<\/strong><\/h2>\n\n\n
              \n
              \n
              \n
              Is FirewallD better than UFW for servers?<\/strong><\/h3>\n
              \n\n
              Both are capable. FirewallD offers dynamic reloads, zones, and rich rules that suit multi-interface servers and evolving rulesets. UFW is simpler and fine for basic Ubuntu setups. For RHEL-family systems, FirewallD is the native, recommended choice.<\/p>\n\n<\/div>\n<\/div>\n
              \n
              Does FirewallD use iptables or nftables?<\/strong><\/h3>\n
              \n\n
              Modern distributions use nftables as the backend, managed by FirewallD. You can confirm with firewall-cmd –info-backend. On older systems, iptables may be used, but nftables is the standard on RHEL 8+, Fedora, and recent Debian\/Ubuntu.<\/p>\n\n<\/div>\n<\/div>\n
              \n
              How do I open ports 80 and 443?<\/strong><\/h3>\n
              \n\n
              Use services to allow both at once and make it persistent. Example: sudo firewall-cmd –permanent –add-service=http; sudo firewall-cmd –permanent –add-service=https; sudo firewall-cmd –reload. Verify with sudo firewall-cmd –list-services.<\/p>\n\n<\/div>\n<\/div>\n
              \n
              How can I allow only specific IPs for SSH?<\/strong><\/h3>\n
              \n\n
              Use a rich rule that restricts SSH by source address. Example: sudo firewall-cmd –permanent –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”203.0.113.10″ service name=”ssh” accept’; then reload. Remove the generic SSH allow if previously set.<\/p>\n\n<\/div>\n<\/div>\n
              \n
              Will FirewallD break Docker or Kubernetes?<\/strong><\/h3>\n
              \n\n
              No, but be aware both manipulate low-level rules. Docker creates its own chains and NAT; Kubernetes uses CNI rules. Avoid blocking docker0 or cni0 bridges unless you understand your container networking design. Test carefully on cluster nodes.<\/p>\n\n<\/div>\n<\/div>\n
              \n
              How do I reset FirewallD to defaults?<\/strong><\/h3>\n
              \n\n
              Use sudo firewall-cmd –permanent –reset-default-zone and optionally remove custom services or rich rules by deleting files in \/etc\/firewalld and reloading. Always back up \/etc\/firewalld\/ before major changes.<\/p>\n\n<\/div>\n<\/div>\n
              \n
              What\u2019s the difference between runtime and permanent rules?<\/strong><\/h3>\n
              \n\n
              Runtime rules apply immediately but vanish on reboot or reload. Permanent rules persist across reboots and take effect after sudo firewall-cmd –reload. In production, set –permanent first, then reload once you verify.<\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n\n\n
              Conclusion<\/strong><\/h2>\n\n\n\n
              Installing FirewallD on a Linux server is straightforward: install the package, enable the service, then allow only the ports and services you need through zones and rich rules. With careful testing, logging, and adherence to least privilege, you\u2019ll keep your workloads secure and stable. Need help? YouStable\u2019s team can configure and monitor it for you.<\/p>\n","protected":false},"excerpt":{"rendered":"
              To install FirewallD on a Linux server, update your packages, install the firewalld package (dnf\/yum\/apt\/zypper), enable and start the service […]<\/p>\n","protected":false},"author":13,"featured_media":15655,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[350],"tags":[],"class_list":["post-12513","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-knowledgebase"],"acf":[],"featured_image_src":"https:\/\/www.youstable.com\/blog\/wp-content\/uploads\/2025\/12\/How-to-Install-FirewallD-on-Linux-Server.jpg","author_info":{"display_name":"Prahlad Prajapati","author_link":"https:\/\/www.youstable.com\/blog\/author\/prahladblog"},"_links":{"self":[{"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/posts\/12513","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/comments?post=12513"}],"version-history":[{"count":5,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/posts\/12513\/revisions"}],"predecessor-version":[{"id":15656,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/posts\/12513\/revisions\/15656"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/media\/15655"}],"wp:attachment":[{"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/media?parent=12513"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/categories?post=12513"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.youstable.com\/blog\/wp-json\/wp\/v2\/tags?post=12513"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}