Add permanent rules to FirewallD

Someone at work wanted to know how to add rules permanently to FirewallD, Fedora’s dynamic firewall (iptables), so I’m posting it in case it’s useful to someone else.

Get the default zone, this is usually “public”:
firewall-cmd --get-active-zones

List services on that zone:
firewall-cmd --zone=public --list-all

Add required TCP ports (let’s do port 80):
firewall-cmd --permanent --zone=public --add-port=80/tcp

If you need a UDP port:
firewall-cmd --permanent --zone=public --add-port=123/udp

You could restart the firewall for them to take affect, or set the rules again without the –permanent option to add them dynamically.

Restart firewall:
systemctl restart firewalld.service

You can also specify services, rather than ports if you like.

sudo firewall-cmd --permanent --zone=public --add-service=http

You’re done!

6 Responses to “Add permanent rules to FirewallD”


  • Cool, do you know if the rules in firewalld applies to both ipv4 and v6? Cheers!

  • They will by default if you use a service definition or a port. If you want an IPv6 only you’d be blocking on ipv6 addresses or ranges.

  • Please note, if you use –permanent switch, the rule will be activate only _AFTER_ the firewall rules have been reloaded or firewalld.service has been restarted.

    That may cause some unnecessary head scratching. I know at least one person who fell for this :).

  • Yeah, maybe I should bold this line?

    “You could restart the firewall for them to take affect, or set the rules again without the –permanent option to add them dynamically.”

  • Dear All,
    I am using a ftp server where 30 ips can access from all around the world. I have allowed those ips with iptables ex :-“-A INPUT -s x.x.x.x/32 -p tcp -m tcp –dport 21 -j ACCEPT”
    Now i want to migrate that server with CentOS7 with firewalld what would be the command or line to achieve that .

    Please note that i am very new to this firewalld.

    Ehsan

    amiehsan

    Posts: 3
    Joined: 2014/09/16 12:51:32

  • Some thoughts:
    1) add source to a zone, then add the tftp rule to that zone (note, requires NetworkManager):
    firewall-cmd --permanent --zone=trusted --add-source= x.x.x.x/32
    2) add a rich rule, like iptables[1]
    3) turn off NetworkManager, turn off Firewalld and use iptables.

    [1] https://fedoraproject.org/wiki/Features/FirewalldRichLanguage

Leave a Reply