RHEL7: How to get started with Firewalld.

Share this link

Note: This is a RHCSA 7 exam objective and a RHCE 7 exam objective.


Firewalld is the new userland interface in RHEL 7. It replaces the iptables interface and connects to the netfilter kernel code. It mainly improves the security rules management by allowing configuration changes without stopping the current connections.

To know if Firewalld is running, type:

# systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
   Active: active (running) since Tue 2014-06-17 11:14:49 CEST; 5 days ago

or alternatively:

# firewall-cmd --state

Note: If Firewalld is not running, the command displays not running.

If you’ve got several network interfaces in IPv4, you will have to activate ip forwarding.
To do that, paste the following line into the /etc/sysctl.conf file:


Then, activate the configuration:

# sysctl -p

Note: If you interested in kernel parameter configuration, there is a tutorial about the sysctl command.

Although Firewalld is the RHEL 7 way to deal with firewalls and provides many improvements, iptables can still be used (but both shouldn’t run at the same time).

You can also look at the iptables rules created by Firewalld with the iptables-save command.

Zone Management

Also, a new concept of zone appears: all network interfaces can be located in the same default zone or divided into different ones according to the levels of trust defined. In the latter case, this allows to restrict traffic based on origin zone (read this article from lwn.net for more details).
Note: Without any configuration, everything is done by default in the public zone. If you’ve got more than one network interface or use sources (see Source management section below), you will be able to restrict traffic between zones.

To get the default zone, type:

# firewall-cmd --get-default-zone

To get the list of zones where you’ve got network interfaces or sources assigned to, type:

# firewall-cmd --get-active-zones
interfaces: eth0

To get the list of all the available zones, type:

# firewall-cmd --get-zones
block dmz drop external home internal public trusted work

To change the default zone to home permanently, type:

# firewall-cmd --set-default-zone=home

Note: This information is stored in the /etc/firewalld/firewalld.conf file.

Network interfaces can be assigned to a zone in a permanent way.
To permanently assign the eth0 network interface to the internal zone (a file called internal.xml is created in the /etc/firewalld/zones directory), type:

# firewall-cmd --permanent --zone=internal --change-interface=eth0
# nmcli con show | grep eth0
System eth0  4de55c95-2368-429b-be65-8f7b1a357e3f  802-3-ethernet  eth0
# nmcli con mod "System eth0" connection.zone internal
# nmcli con up "System eth0"
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/1)

Note1: This operation can also be done by editing the /etc/sysconfig/network-scripts/ifcfg-eth0 file and add ZONE=internal followed by # nmcli con reload
Note2: More information about the nmcli command is available at the page dedicated to nmcli or at the IPV4 configuration page.

To know which zone is associated with the eth0 interface, type:

# firewall-cmd --get-zone-of-interface=eth0

To get the permanent configuration of the public zone, type:

# firewall-cmd --permanent --zone=public --list-all
public (default, active)
  interfaces: eth0
  services: dhcpv6-client ssh
  masquerade: no
  rich rules: 

It is also possible to create new zones. To create a new zone (here test), type:

# firewall-cmd --permanent --new-zone=test
# firewall-cmd --reload

Note: Only permanent zones can be created.

Source Management

A zone can be bound to a network interface (see above) and/or to a network addressing (called here a source).
Any network packet entering in the network stack is associated with a zone.
The association is done according to the following pattern:
– is the packet coming from a source already bound to a zone? (if yes, it is associated with this zone),
– if not, is the packet coming from a network interface already bound to a zone? (if yes, it is associated with this zone),
– if not, the packet is associated with the default zone.

This way, multiple zones can be defined even on a server with only one network interface!

Caution: To get this feature, Firewalld relies on NetworkManager (see reference). This means that if you plan to stop NetworkManager for any reason (for example when building a KVM host), you will have to stop Firewalld and use Iptables instead!

To add a source (here to a zone (here trusted) permanently, type:

# firewall-cmd --permanent --zone=trusted --add-source=
# firewall-cmd --reload

Note1: Use the –remove-source option to delete a previous assigned source.
Note2: Use the –change-source option to move the source to the new specified zone.
Note3: If you want to temporarily add a source to a zone, don’t use the –permanent option and don’t reload the firewall configuration. If you reload the firewall configuration, this will cancel all the operation.
Note4: You can also make some changes and when you like your new configuration, have it become your permanent configuration with the firewall-cmd –runtime-to-permanent command.

To get the list of the sources currently bound to a zone (here trusted), type:

# firewall-cmd --zone=trusted --list-sources

Note: Add the –permanent option if you only want to display permanent settings.

To keep track of your configuration (active zones are zones that have a binding to an interface or source), type:

# firewall-cmd --get-active-zones
  interfaces: eth0

As an exemple of source management, let’s assume you want to only allow connections to your server from a specific IP address (here

# firewall-cmd --zone=internal --add-service=ssh --permanent
# firewall-cmd --zone=internal --add-source= --permanent
# firewall-cmd --zone=public --remove-service=ssh --permanent
# firewall-cmd --reload

Source: Serverfault website.

Service Management

After assigning each network interface to a zone, it is now possible to add services to each zone.
To allow the http service permanently in the internal zone, type:

# firewall-cmd --permanent --zone=internal --add-service=http
# firewall-cmd --reload

Note1: Type –remove-service=http to deny the http service.
Note2: The firewall-cmd –reload command is necessary to activate the change. Contrary to the –complete-reload option, current connections are not stopped.
Note3: If you only want to temporarily add a service, don’t use the –permanent option and don’t reload the firewall configuration. If you reload the firewall configuration, you cancel all the operation.

If you want to temporary add several services (here http, https, and dns) at the same time in the internal zone, type:

# firewall-cmd --zone=internal --add-service={http,https,dns}

To get the list of services in the default zone, type:

# firewall-cmd --list-services
dhcpv6-client ssh

Note: To get the list of the services in a particular zone, add the –zone= option.

Service Firewall Configuration

With the Firewalld package, the firewall configuration of the main services (ftp, httpd, etc) comes in the /usr/lib/firewalld/services directory. But it is still possible to add new ones in the /etc/firewalld/services directory. Also, if files exist at both locations for the same service, the file in the /etc/firewalld/services directory takes precedence.

For example, it is the case of the HAProxy service. There is no firewall configuration associated.
Create the /etc/firewalld/services/haproxy.xml and paste the following lines:

<?xml version="1.0" encoding="utf-8"?>
 <description>HAProxy load-balancer</description>
 <port protocol="tcp" port="80"/>

Note: You can use the firewall-cmd –permanent –new-service=haproxy command to quickly create a configuration file skeleton.

Assign the correct SELinux context and file permissions to the haproxy.xml file:

# cd /etc/firewalld/services
# restorecon haproxy.xml
# chmod 640 haproxy.xml

Add the HAProxy service to the default zone permanently and reload the firewall configuration:

# firewall-cmd --permanent --add-service=haproxy
# firewall-cmd --reload

Port Management

Port management follows the same model as service management.

To allow the 443/tcp port temporarily in the internal zone, type:

# firewall-cmd --zone=internal --add-port=443/tcp

Note1: To make the configuration permanent, add the –permanent option and reload the firewall configuration.
Note2: Type –remove-port=443/tcp to deny the port.

To get the list of ports currently open in the internal zone, type:

# firewall-cmd --zone=internal --list-ports

Note: To only get the list of ports permanently open, add the –permanent option. Here, you will not get anything.


If your firewall is your network gateway and you don’t want everybody to know your internal addresses, you can set up two zones, one called internal, the other external, and configure masquerading on the external zone. This way, all packets will get your firewall ip address as source address.

To set up masquerading on the external zone in a temporary way, type:

# firewall-cmd --zone=external --add-masquerade

Note1: To remove masquerading, use the –remove-masquerade option.
Note2: To know if masquerading is active in a zone, use the –query-masquerade option.
Note3: To get the configuration permanent, add the –permanent option and reload the firewall configuration.

Port Forwarding

In addition to the masquerading, you can want to use port forwarding.
If you want all packets intended for port 22 to be now forwarded to port tcp 3753 temporarily, type:

# firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=3753

Note1: To remove port forwarding, use the –remove-forward-port option.
Note2: To know if port forwarding is active in a zone, use the –query-forward-port option.
Note3: If you want to make the configuration permanent, add the –permanent option and reload the firewall configuration.

Also, if you want to define the destination ip address, this time in a permanent way, type:

# firewall-cmd --permanent --zone=external --add-forward-port=port=22:proto=tcp:toport=3753:toaddr=
# firewall-cmd --reload

Direct Rules

It is still possible to set specific rules by using the direct mode (here to open the tcp port 9000) that by-passes the Firewalld interface:

# firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 9000 -j ACCEPT

Note1: This example has been borrowed from Khosro Taraghi’s blog.
Note2: Use the same command with the –remove-rule instead of –add-rule to delete the rule.
Note3: The configuration is temporary except if you add the –permanent option just after the –direct option.
Note4: It is not necessary to reload the firewall configuration, all commands are directly activated.

To display all the direct rules added, type:

# firewall-cmd --direct --get-all-rules

Note: For information, the configuration is written into the /etc/firewalld/direct.xml file.

Special Modules

Sometimes it is required to download specific modules. Instead of using a rc.local file, it is better to notify Firewalld through the /etc/modules-load.d directory.
In this example we want to add the ip_nat_ftp and ip_conntrack_ftp modules to follow ftp connections.
We only need to choose a filename (here firewall_ftp.conf) and type these instructions:

# echo ip_nat_ftp > /etc/modules-load.d/firewall_ftp.conf
# echo ip_conntrack_ftp >> /etc/modules-load.d/firewall_ftp.conf

Source: StackExchange website.

Offline Configuration

In some cases (installations through Anaconda or Kickstart for example), you need to set up firewall rules when Firewalld is not running. The firewall-offline-cmd command has just been created for this purpose.
For instance, to open the tcp port 22, you would type in the /etc/sysconfig/iptables file:

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

Instead, you can now execute the following command:

# firewall-offline-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

Configuration Backup

To store the current configuration into files, type:

# iptables -S > firewalld_rules_ipv4
# ip6tables -S > firewalld_rules_ipv6

Debugging Tip

To better understand how Firewalld works, assign the ‘–debug’ value to the FIREWALLD_ARGS variable in the /etc/sysconfig/firewalld file:

# firewalld command line args
# possile values: --debug

Note: Messages will be written into the /var/log/firewalld file.

Additional Resources

In addition, you can:

Sources: RHEL7 Security Guide, wiki Fedora project.

Test yourself!

1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 5.00 out of 5)

Leave a Reply

52 Comments on "RHEL7: How to get started with Firewalld."

Notify of

Sort by:   newest | oldest
1 year 11 months ago
I started studying with RHEL 6 in April and switched over to 7 – As a result, I spent a lot of time honing iptables skills only to have firewalld take over (similar to sysvinit and systemd). I honestly prefer iptables as I am much more comfortable with it on the fly and the exam requirement states that you can still use iptables to fulfill any firewall requirements. Therefore, I think it might be helpful to some to show how to disable firewalld in favor of iptables. > systemctl disable firewalld > systemctl stop firewalld > yum -y install iptables-services… Read more »
1 year 10 months ago

Okay I have a few questions. They are as follows:
1: Has red Hat cancelled RHCE 6 and only has RHCE7 or can on still take RHCE6 for now?
2: I also prefer iptables but funny enough the manually configured iptables information did not persist reboot but I guess I may have to use system-config-firewall to make my modifications.

I look forward to your response.

Thanks in advance.

1 year 10 months ago

I don’t understand the relationship between iptables and firewalld. They seem to reference each other, but are two different firewalls, each with their own config files. Can you explain how the two are related, and how to remove iptables completely and work solely with firewalld?

1 year 7 months ago
Personally i think firewalld is overally complicated for most server environments, it is probably more useful for graphical users. Setting up a chain for a device (or assigning a zone to an interface in firewalld) is fairly simple in iptables directly, most servers have a single interface(or bonded single) so really the usercase is small. The addition of rich rules appears more complex then one directly in iptables. Not really sure what other Administrators do but I always insert iptables and save, this does not require a reload of iptables like they make you think is an advantage with firewalld… Read more »
1 year 7 months ago

For the RHCE exam it is however specifically listed as an objective.

“Use firewalld and associated mechanisms such as rich rules, zones and custom rules, to implement packet filtering and configure network address translation (NAT)”

You may very well be able to disable it in RHCSA exam but then they probably want you to do something far simpler with it so probably not much point.

1 year 6 months ago

There is something which really confuses me, when doing a port forward like the command below you mentioned:

# firewall-cmd –zone=external –add-forward-port=port=22:proto=tcp:toport=3753

I know that I have to use the –add-masquerade, but do I need also to do the sysctl.conf and add the net.ipv4.ip_forward=1 or in which case I do this?

1 year 5 months ago

Under “Port management” you ran “–add-port” temporarily. You should remove the “–reload”, otherwise “–remove-port” fails.

1 year 2 months ago

Can direct rules be added and seen on the firewall GUI?

10 months 3 days ago
I am trying to use a spare router as a gateway for the internal zone.No internet access just to create an intranet of all my servers so as to practice then port forwarding between the internal zone and the public zone..Would you please post a link on how to do that.. Also for some unexplained reason firewalld keeps assigning all my interfaces to the default zone.I assign them to other zones (–remove-interface and then –add-interface permanent etc and –reload)and although it is ok after a reboot they are all again stacked together in the default zone..I am furious beyond words….:)… Read more »
9 months 14 days ago


Interfaces will always revert to the default zone if they do not have an alternative zone defined within their configuration. Just add in
/etc/sysconfig/network-scripts/ifcfg-eth0 “zone=internal”

after that:

systemctl restart network.service
systemctl restart firewalld.service

and zone internal will be active with interface eth0

7 months 3 days ago
I would say that the RedHat way should be to both place the interface in the given zone using firewall-cmd AND set the zone in the connection by using nmcli connection.zone. ifup scripts reset the if zone no matter what you set in the firewall config. Ugly state of affairs. BTW, I was bitten by the default ACCEPT target of the trusted zone. You don’t need to add services to trusted (no brainer) but some port forwarding does not work either there. Case in point, I had httpd listening on both 80 and 82, and added a port forward from… Read more »
9 months 19 days ago

Maybe it’s right under my nose and I just don’t see it. What are the equivalent firewalld CLI commands to list the firewall rules?

Something like iptables -L.

8 months 19 days ago
Can somebody help in case they know ? I’m unable to implement 1) and 3) rules using rich-rules and zones. Think you need to use direct rules Create a permanent rich rule configuration in the DMZ that matches the following requirements: 1) All packets coming in from the network should be blocked. 2) All packets that are addressed to the SSH services should be logged with a maximum of two packets per minute. The messages should be logged with the “debug” log level, and the prefix “SSH:“. 3) If packets are coming from the host with IP address… Read more »
8 months 13 hours ago
I’m configuring firewalld for a project, where NetworkManager is disabled for our standard RHEL7/CentOS7 build, and nearly followed your advice to disable firewalld and migrate to iptables: “Caution: To get this feature, Firewalld relies on NetworkManager (see reference). This means that if you plan to stop NetworkManager for any reason (for example when building a KVM host), you will have to stop Firewalld and use Iptables instead!” The RHEL7 reference actually advises to use the –permanent –add-interface option: “IMPORTANT The –permanent –add-interface option is supposed to be used only for interfaces that are not managed by the NetworkManager utility. This… Read more »
6 months 5 days ago

command ‘sysctl -a |grep forward’ can give you information if ip forwarding is enabled or not. 🙂

5 months 1 day ago
I’ve got a question about routing with firewalld. I managed to get routing working between two network interfaces, eth0 and eth1, by using direct (–direct)rules. However, I read that direct options should be used only as a last resort when it’s not possible to use for example –add-rich-rule=’rule’. Does anyone know a way of configuring routing between eth0 and eth1 interfaces with rich rules? For example, the direct rule I have to allow VMs on a dmz (eth1) to access public network (eth0) on SSH port: # firewall-cmd –direct -add-rule ipv4 filter FORWARD 0 -i eth1 -o eth0 -p tcp… Read more »
5 months 23 hours ago

It turns out that I only need to enable masquerading on the public interface, and enable ip_forward. No other config is required to make routing work basically.

2 months 17 days ago

Hello CertDepot, How do I query default FORWARD policy using firewall-cmd?

1 month 29 days ago

The below will list any FORWARD chain direct rules that exists:
# firewall-cmd –direct –get-all-rules

2 months 23 hours ago
I am not familiar yet with firewalld, and now I know why, because it is completely not intuitive. In my opinion, when you have got the router, based on the linux system, you should still choose iptables. Firewalld still looks like a beta version, and you still write the direct rules if you want to do something more complicated 🙁 I do not completely understand the idea of preconfig 9 zones (why not 7 maybe 11), the better way is to give the option to create the new zones by admin, how many he need. 1. Is it possible to… Read more »
1 month 23 days ago

I’ve tried to backup and restore the firewalld configuration via “iptables -S” and “iptables-save” and restoring via “iptables-restore” , but it didn’t work.

The only solution I have found to do the trick is to backup via “cp -a /etc/firewalld /some_location/” and later restore via “cp -a /some_location/firewalld/ /etc” and reloading via “firewall-cmd –reload”

And if you want to test something you can always prevent locking yourself via:
1.Set atd to reload the firewall in some time in advance
2.”firewall-cmd ” without permanent
3.And if you like it “firewall-cmd –runtime-to-permanent”

18 days 11 hours ago

When asked to configure a firewall in exam which allows so and so service.. are we supposed to create a new zone or editing any of the preconfigured zones will be ok?


RHCSA7: Task of the day

Allowed time: 10 minutes.
Set up a default configuration HTTP server with SELinux in Enforcing mode and active firewalld configuration.

RHCE7: Task of the day

Allowed time: 8 minutes.
Set up an iScsi target based on a fileio backstore of 100MB called /opt/shareddata with CHAP authentication (username=usr/password=pwd), xfs filesystem and standard firewall configuration.

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...