Add permanent rules to FirewallD

Someone at work wanted to know how to add rules permanently to FirewallD, Fedora’s dynamic firewall (iptables), so I’m posting it in case it’s useful to someone else.

Get the default zone, this is usually “public”:
firewall-cmd --get-active-zones

List services on that zone:
firewall-cmd --zone=public --list-all

Add required TCP ports (let’s do port 80):
firewall-cmd --permanent --zone=public --add-port=80/tcp

If you need a UDP port:
firewall-cmd --permanent --zone=public --add-port=123/udp

You could restart the firewall for them to take affect, or set the rules again without the –permanent option to add them dynamically.

Restart firewall:
systemctl restart firewalld.service

You can also specify services, rather than ports if you like.

sudo firewall-cmd --permanent --zone=public --add-service=http

You’re done!

4 Responses to “Add permanent rules to FirewallD”


  • Cool, do you know if the rules in firewalld applies to both ipv4 and v6? Cheers!

  • They will by default if you use a service definition or a port. If you want an IPv6 only you’d be blocking on ipv6 addresses or ranges.

  • Please note, if you use –permanent switch, the rule will be activate only _AFTER_ the firewall rules have been reloaded or firewalld.service has been restarted.

    That may cause some unnecessary head scratching. I know at least one person who fell for this :).

  • Yeah, maybe I should bold this line?

    “You could restart the firewall for them to take affect, or set the rules again without the –permanent option to add them dynamically.”

Leave a Reply