Add permanent rules to FirewallD

Someone at work wanted to know how to add rules permanently to FirewallD, Fedora’s dynamic firewall (iptables), so I’m posting it in case it’s useful to someone else.

When adding rules to FirewallD they can be either on the fly (in which case they are not saved), or permanent rules which are saved but not added on the fly. This is actually quite handy but can be confusing if you’ve added rules on the fly and lose them when you reboot, or if you add permanent rules but they don’t seem to work!

Below, we will make these changes on the fly to the running configuration and then make them permanent.

Get the zone

FirewallD has a concept of zones, which have network interfaces in them (the default zone is usually public, but on Fedora Server it’s FedoraServer). Let’s get the default zone so that we know which zone to add rules to.
sudo firewall-cmd --get-active-zones

List current services on that zone.
sudo firewall-cmd --zone=public --list-all

Add rules on the fly

Add required TCP ports (let’s do port 80):
sudo firewall-cmd --zone=public --add-port=80/tcp

If you need a UDP port:
sudo firewall-cmd --zone=public --add-port=123/udp

You can also specify services, rather than ports if you like.

sudo firewall-cmd --zone=public --add-service=http

Remove rules on the fly

Removing rules is the same syntax as adding, but with remove instead of add.
sudo firewall-cmd --zone=public --remove-service=http

Make rules permanent

Once you have the rules working to your satisfaction, we can make them permanent so that they return after a reboot (or service restart).

sudo firewall-cmd --runtime-to-permanent

If you prefer, you could use the –permanent option to the rules you add instead and then just restart the firewall for them to take affect.

For example, add required TCP ports (let’s do port 80):
sudo firewall-cmd --permanent --zone=public --add-port=80/tcp

Restart firewall:
sudo systemctl restart firewalld

You’re done!

9 thoughts on “Add permanent rules to FirewallD

  1. They will by default if you use a service definition or a port. If you want an IPv6 only you’d be blocking on ipv6 addresses or ranges.

  2. Please note, if you use –permanent switch, the rule will be activate only _AFTER_ the firewall rules have been reloaded or firewalld.service has been restarted.

    That may cause some unnecessary head scratching. I know at least one person who fell for this :).

  3. Yeah, maybe I should bold this line?

    “You could restart the firewall for them to take affect, or set the rules again without the –permanent option to add them dynamically.”

  4. Dear All,
    I am using a ftp server where 30 ips can access from all around the world. I have allowed those ips with iptables ex :-“-A INPUT -s x.x.x.x/32 -p tcp -m tcp –dport 21 -j ACCEPT”
    Now i want to migrate that server with CentOS7 with firewalld what would be the command or line to achieve that .

    Please note that i am very new to this firewalld.



    Posts: 3
    Joined: 2014/09/16 12:51:32

Leave a Reply

Your email address will not be published. Required fields are marked *