Someone at work wanted to know how to add rules permanently to FirewallD, Fedora’s dynamic firewall (iptables), so I’m posting it in case it’s useful to someone else.
When adding rules to FirewallD they can be either on the fly (in which case they are not saved), or permanent rules which are saved but not added on the fly. This is actually quite handy but can be confusing if you’ve added rules on the fly and lose them when you reboot, or if you add permanent rules but they don’t seem to work!
Below, we will make these changes on the fly to the running configuration and then make them permanent.
Get the zone
FirewallD has a concept of zones, which have network interfaces in them (the default zone is usually public, but on Fedora Server it’s FedoraServer). Let’s get the default zone so that we know which zone to add rules to.
sudo firewall-cmd --get-active-zones
List current services on that zone.
sudo firewall-cmd --zone=public --list-all
Add rules on the fly
Add required TCP ports (let’s do port 80):
sudo firewall-cmd --zone=public --add-port=80/tcp
If you need a UDP port:
sudo firewall-cmd --zone=public --add-port=123/udp
You can also specify services, rather than ports if you like.
sudo firewall-cmd --zone=public --add-service=http
Remove rules on the fly
Removing rules is the same syntax as adding, but with remove instead of add.
sudo firewall-cmd --zone=public --remove-service=http
Make rules permanent
Once you have the rules working to your satisfaction, we can make them permanent so that they return after a reboot (or service restart).
sudo firewall-cmd --runtime-to-permanent
If you prefer, you could use the –permanent option to the rules you add instead and then just restart the firewall for them to take affect.
For example, add required TCP ports (let’s do port 80):
sudo firewall-cmd --permanent --zone=public --add-port=80/tcp
sudo systemctl restart firewalld