How to Configure FirewallD in RHEL, Rocky & AlmaLinux https://www.tecmint.

com/configure-firewalld-rhel-rocky-almalinux/

Linux Foundation LFCS and LFCE Certi�cation Preparation Guide - Get This Book

Menu

Menu

How to Con�gure FirewallD in RHEL-

based Distributions
Babin Lonston Last Updated: November 11, 2022 AlmaLinux, CentOS, Fedora, Firewalls,
RedHat, Rocky Linux, Security 22 Comments

Net-�lter as we all know it’s a �rewall in Linux. Firewalld is a dynamic daemon to

manage �rewalls with support for network zones. In the earlier version, RHEL &
CentOS we have been using iptables as a daemon for packet �ltering framework.

In newer versions of RHEL-based distributions such as Fedora, Rocky Linux,

CentOS Stream, AlmaLinux, and openSUSE – the iptables interface is being
replaced by �rewalld.
✕

[ You might also like: 10 Useful Open Source Security Firewalls for Linux Systems ]

1 of 32 2/9/2023, 10:54 AM
How to Configure FirewallD in RHEL, Rocky & AlmaLinux https://www.tecmint.com/configure-firewalld-rhel-rocky-almalinux/

It’s recommended to start using Firewalld instead of iptables as this may

discontinue in the future. However, iptables are still supported and can be installed
with the yum command. We can’t keep Firewalld and iptables both in the same
system which may lead to con�ict.

In iptables, we used to con�gure as INPUT, OUTPUT & FORWARD CHAINS but

here in Firewalld, the concept uses Zones. By default, there are different zones
available in �rewalld, which will be discussed in this article.

The basic zone which are like public zone and private zone. To make things work
around with these zones, we need to add the interface with the speci�ed zone
support and then we can add the services to �rewalld.

By default, there are many services available, one of the best features of �rewalld
is, it comes with pre-de�ned services and we can take these services as an example
to add our services by simply copying them.

Firewalld works great with IPv4, IPv6, and Ethernet bridges too. We can have a
separate run-time and permanent con�guration in �rewalld.

Let’s get started on how to work with zones and create our own services and much
more exciting usage of �rewalld in Linux.

Our Testing Environment

Operating System : Red Hat Enterprise Linux release 9.0

(Plow)
IP Address : 192.168.0.159
Host-name : tecmint-rhel9

2 of 32 2/9/2023, 10:54 AM
How to Configure FirewallD in RHEL, Rocky & AlmaLinux https://www.tecmint.com/configure-firewalld-rhel-rocky-almalinux/

RHEL 9 Testing System

Step 1: Installing Firewalld in RHEL-based

Systems
1. Firewalld package is installed by default in RHEL, Fedora, Rocky Linux, CentOS
Stream, AlmaLinux, and openSUSE. If not, you can install it using the following yum
command.

# yum install firewalld -y

Install Firewalld on Linux

3 of 32 2/9/2023, 10:54 AM
How to Configure FirewallD in RHEL, Rocky & AlmaLinux https://www.tecmint.com/configure-firewalld-rhel-rocky-almalinux/

2. After the �rewalld package has been installed, it’s time to verify whether the
iptables service is running or not, if running, you need to stop and mask (not use
anymore) the iptables service with the below commands.

# systemctl status iptables

# systemctl stop iptables
# systemctl mask iptables

Disable IPTables in Linux

Step 2: Understanding Firewalld Components

(Zones and Rules)
3. Before heading up for �rewalld con�guration, I would like to discuss each zones.
By default, there are some zones available. We need to assign the interface to the
zone. A zone de�nes the zone that was trusted or denied level to the interface to get
a connection. A zone can contain services & ports.

Here, we’re going to describe each zones available in Firewalld.

• Drop Zone: Any incoming packets are dropped if we use a drop zone. This is
the same as we use to add iptables -j drop. If we use the drop rule, means
there is no reply, only outgoing network connections will be available.
• Block Zone: Block zone will deny the incoming network connections are
rejected with an icmp-host-prohibited. Only established connections within

4 of 32 2/9/2023, 10:54 AM
How to Configure FirewallD in RHEL, Rocky & AlmaLinux https://www.tecmint.com/configure-firewalld-rhel-rocky-almalinux/

the server will be allowed.

• Public Zone: To accept the selected connections we can de�ne rules in the
public zone. This will only allow the speci�c port to open in our server other
connections will be dropped.
• External Zone: This zone will act as router options with masquerading is
enabled other connections will be dropped and will not accept, and only
speci�ed connections will be allowed.
• DMZ Zone: If we need to allow access to some of the services to the public,
you can de�ne it in the DMZ zone. This too has the feature of only selected
incoming connections being accepted.
• Work Zone: In this zone, we can de�ne only internal networks i.e. private
networks traf�c is allowed.
• Home Zone: This zone is specially used in home areas, we can use this zone
to trust the other computers on networks to not harm your computer as in
every zone. This too allows only the selected incoming connections.
• Internal Zone: This one is similar to the work zone with selected allowed
connections.
• Trusted Zone: If we set the trusted zone all the traf�c is accepted.

Now you have got a better idea about zones, now let’s �nd out available zones, and
default zones, and list all zones using the following commands.

List Firewalld Zones

# firewall-cmd --get-zones

List Available Firewalld Zones

5 of 32 2/9/2023, 10:54 AM
How to Configure FirewallD in RHEL, Rocky & AlmaLinux https://www.tecmint.com/configure-firewalld-rhel-rocky-almalinux/

List Firewalld Default Zone

# firewall-cmd --get-default-zone

List Firewalld Default Zone

List All Firewalld Zones

# firewall-cmd --list-all-zones

6 of 32 2/9/2023, 10:54 AM
How to Configure FirewallD in RHEL, Rocky & AlmaLinux https://www.tecmint.com/configure-firewalld-rhel-rocky-almalinux/

List Firewalld Zones

Note: The output of the above command won’t �t into a single page as this will list
every zones like block, dmz, drop, external, home, internal, public, trusted, and work.
If the zones have any rich rules, enabled services or ports will be also listed with
those respective zone information.

Step 3: Setting Default Firewalld Zone

4. If you would like to set the default zone as internal, external, drop, work, or any
other zone, you can use the below command to set the default zone. Here we use
the “internal” zone as default.

# firewall-cmd --set-default-zone=internal

5. After setting the zone, verify the default zone using the below command.

7 of 32 2/9/2023, 10:54 AM
How to Configure FirewallD in RHEL, Rocky & AlmaLinux https://www.tecmint.com/configure-firewalld-rhel-rocky-almalinux/

# firewall-cmd --get-default-zone

Set Default Firewalld Zone

6. Here, our Interface is enp0s3, If we need to check the zone in which the interface
is bounded we can use the below command.

# firewall-cmd --get-zone-of-interface=enp0s3

Check Network Interface Firewalld Zone

7. Another interesting feature of �rewalld is ‘icmptype‘ is one of the icmp types

supported by �rewalld. To get the listing of supported icmp types we can use the
below command.

# firewall-cmd --get-icmptypes

8 of 32 2/9/2023, 10:54 AM
How to Configure FirewallD in RHEL, Rocky & AlmaLinux https://www.tecmint.com/configure-firewalld-rhel-rocky-almalinux/

List Firewalld ICMP Types

Step 4: Creating Own Services in Firewalld

8. Services are a set of rules with ports and options which is used by Firewalld.
Services that are enabled, will be automatically loaded when the Firewalld service
is up and running.

By default, many services are available, to get the list of all available services, use
the following command.

# firewall-cmd --get-services

List Firewalld Services

9 of 32 2/9/2023, 10:54 AM
How to Configure FirewallD in RHEL, Rocky & AlmaLinux https://www.tecmint.com/configure-firewalld-rhel-rocky-almalinux/

9. To get the list of all the default available services, go to the following directory,
here you will get the list of services.

# cd /usr/lib/firewalld/services/

List Default Firewalld Services

10. To create your own service, you need to de�ne it at the following location. For
example, here I want to add a service for RTMP port 1935, �rst make a copy of any
one of the services.

# cd /etc/firewalld/services/
# cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/

10 of 32 2/9/2023, 10:54 AM
How to Configure FirewallD in RHEL, Rocky & AlmaLinux https://www.tecmint.com/configure-firewalld-rhel-rocky-almalinux/

And then, navigate to the location where our service �le was copied, next rename
the �le ‘ssh.xml‘ to ‘rtmp.xml‘ as shown in the below picture.

# cd /etc/firewalld/services/
# mv ssh.xml rtmp.xml
# ls -l rtmp.xml

Create Services in Firewalld

11. Next open and edit the �le as Heading, Description, Protocol, and Port number,
which we need to use for the RTMP service as shown in the below picture.

Con�gure Firewalld Service

12. To make these changes activate, restart the �rewalld service, or reload the
settings.

# firewall-cmd --reload

13. To con�rm, whether a service is added or not, run the below command to get a

11 of 32 2/9/2023, 10:54 AM
How to Configure FirewallD in RHEL, Rocky & AlmaLinux https://www.tecmint.com/configure-firewalld-rhel-rocky-almalinux/

list of services available.

# firewall-cmd --get-services

Con�rm Added Service in Firewall

Step 5: Assigning Services to Firewalld Zones

14. Here we are going to see how to manage the �rewall using the �rewall-cmd
command. To know the current state of the �rewall and all active zones, type the
following command.

# firewall-cmd --state
# firewall-cmd --get-active-zones

Check Firewalld Status

12 of 32 2/9/2023, 10:54 AM
How to Configure FirewallD in RHEL, Rocky & AlmaLinux https://www.tecmint.com/configure-firewalld-rhel-rocky-almalinux/

15. To get the public zone for interface enp0s3, this is the default interface, which is
de�ned in /etc/�rewalld/�rewalld.conf �le as DefaultZone=public.

To list all available services in this default interface zone.

# firewall-cmd --get-service

List Firewalld Services

Step 6: Adding Services to Firewalld Zones

16. In the above examples, we have seen how to create our own services by
creating the rtmp service, here we will see how to add the rtmp service to the zone
as well.

13 of 32 2/9/2023, 10:54 AM
How to Configure FirewallD in RHEL, Rocky & AlmaLinux https://www.tecmint.com/configure-firewalld-rhel-rocky-almalinux/

# firewall-cmd --add-service=rtmp

17. To remove added zone, type.

# firewall-cmd --zone=public --remove-service=rtmp

The above step was a temporary period only. To make it permanent we need to run
the below command with option –permanent.

# firewall-cmd --add-service=rtmp --permanent

# firewall-cmd --reload

18. De�ne rules for network source range and open any one of the ports. For
example, if you would like to open a network range say ‘192.168.0.0/24‘ and port
‘1935‘ use the following commands.

# firewall-cmd --permanent --add-source=192.168.0.0/24

# firewall-cmd --permanent --add-port=1935/tcp

Make sure to reload the �rewalld service after adding or removing any services or
ports.

# firewall-cmd --reload
# firewall-cmd --list-all

14 of 32 2/9/2023, 10:54 AM
How to Configure FirewallD in RHEL, Rocky & AlmaLinux https://www.tecmint.com/configure-firewalld-rhel-rocky-almalinux/

Add Services to Firewalld

Step 7: Adding Firewalld Rich Rules for

Network Range

19. If I want to allow the services such as http, https, vnc-server, and PostgreSQL, I
use the following rules. First, add the rule and make it permanent and reload the
rules and check the status.

15 of 32 2/9/2023, 10:54 AM
How to Configure FirewallD in RHEL, Rocky & AlmaLinux https://www.tecmint.com/configure-firewalld-rhel-rocky-almalinux/

# firewall-cmd --add-rich-rule 'rule family="ipv4" source

address="192.168.0.0/24" service name="http" accept'
# firewall-cmd --add-rich-rule 'rule family="ipv4" source
address="192.168.0.0/24" service name="http" accept' --permanent

# firewall-cmd --add-rich-rule 'rule family="ipv4" source

address="192.168.0.0/24" service name="https" accept'
# firewall-cmd --add-rich-rule 'rule family="ipv4" source
address="192.168.0.0/24" service name="https" accept' --permanent

# firewall-cmd --add-rich-rule 'rule family="ipv4" source

address="192.168.0.0/24" service name="vnc-server" accept'
# firewall-cmd --add-rich-rule 'rule family="ipv4" source
address="192.168.0.0/24" service name="vnc-server" accept'
--permanent

# firewall-cmd --add-rich-rule 'rule family="ipv4" source

address="192.168.0.0/24" service name="postgresql" accept'
# firewall-cmd --add-rich-rule 'rule family="ipv4" source
address="192.168.0.0/24" service name="postgresql" accept'
--permanent

Now, the Network range 192.168.0.0/24 can use the above service from my server.
The option –permanent can be used in every rule, but we have to de�ne the rule
and check with the client access after that we have to make it permanent.

20. After adding the above rules, don’t forget to reload the �rewall rules and list the
rules using:

# firewall-cmd --reload
# firewall-cmd --list-all

16 of 32 2/9/2023, 10:54 AM
How to Configure FirewallD in RHEL, Rocky & AlmaLinux https://www.tecmint.com/configure-firewalld-rhel-rocky-almalinux/

List All FirewallD Active Rules

To know more about Firewalld.

# man firewalld

That’s it, we have seen how to set up a net-�lter using Firewalld in RHEL-based
distributions such as Fedora, Rocky Linux, CentOS Stream, AlmaLinux, and
openSUSE.

Conclusion

Net-�lter is the framework for a �rewall for each and every Linux distribution. Back
in every RHEL and CentOS edition, we used iptables but in newer versions, they
have introduced Firewalld. It’s easier to understand and use �rewalld. Hope you
have enjoyed the write-up.

17 of 32 2/9/2023, 10:54 AM
How to Configure FirewallD in RHEL, Rocky & AlmaLinux https://www.tecmint.com/configure-firewalld-rhel-rocky-almalinux/

GhostBSD – A Simple Unix-like How To Remove SSL Certi�cate and

Desktop OS Based on FreeBSD SSH Key Passphrase in Linux

Tutorial Feedback...

Was this article helpful? If you don't �nd this article helpful or found
some outdated info, issue or a typo, do post your valuable feedback or
suggestions in the comments to help improve this article...

18 of 32 2/9/2023, 10:54 AM
How to Configure FirewallD in RHEL, Rocky & AlmaLinux https://www.tecmint.com/configure-firewalld-rhel-rocky-almalinux/

If You Appreciate What We Do Here On TecMint, You

Should Consider:

TecMint is the fastest growing and most trusted community site

for any kind of Linux Articles, Guides and Books on the web.
Millions of people visit TecMint! to search or browse the
thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a

coffee ( or 2 ) as a token of appreciation.

We are thankful for your never ending support.

Related Posts

19 of 32 2/9/2023, 10:54 AM
How to Configure FirewallD in RHEL, Rocky & AlmaLinux https://www.tecmint.com/configure-firewalld-rhel-rocky-almalinux/

How to Install Nagios Monitoring in RHEL, Rocky, and AlmaLinux

20 of 32 2/9/2023, 10:54 AM
How to Configure FirewallD in RHEL, Rocky & AlmaLinux https://www.tecmint.com/configure-firewalld-rhel-rocky-almalinux/

How to Disable IPv6 in RHEL, Rocky & AlmaLinux

21 of 32 2/9/2023, 10:54 AM
How to Configure FirewallD in RHEL, Rocky & AlmaLinux https://www.tecmint.com/configure-firewalld-rhel-rocky-almalinux/

How to Install EPEL Repository on RHEL, Rocky & AlmaLinux

How to Install Let’s Encrypt SSL Certi�cate to Secure Nginx on RHEL 9/8

22 of 32 2/9/2023, 10:54 AM
How to Configure FirewallD in RHEL, Rocky & AlmaLinux https://www.tecmint.com/configure-firewalld-rhel-rocky-almalinux/

How to Install VirtualBox 7.0 in AlmaLinux

23 of 32 2/9/2023, 10:54 AM
How to Configure FirewallD in RHEL, Rocky & AlmaLinux https://www.tecmint.com/configure-firewalld-rhel-rocky-almalinux/

How to Install PostgreSQL 15 on Rocky Linux and AlmaLinux

22 thoughts on “How to Con�gure FirewallD in

RHEL-based Distributions”
← Older Comments

Wendell Anderson
April 5, 2021 at 1:58 am

My comment post was submitted twice in error, so I am assuming that is the

reason it was not published,

�rewalld is the default �rewall utility in openSUSE as well as in

Redhat/CentOS/Fedora, so I do not understand the reason for not adding
SUSE to distributions supported.

Please verify if Tecmint has a strong preference for these now IBM-
owned/controlled distributions, over other major distributions like
SUSE/OpenSUSE, so that readers are fully aware.

Thank You

Reply

Admin

24 of 32 2/9/2023, 10:54 AM
How to Configure FirewallD in RHEL, Rocky & AlmaLinux https://www.tecmint.com/configure-firewalld-rhel-rocky-almalinux/

Ravi Saive
April 5, 2021 at 10:16 am

@Wendell,

I have included OpenSUSE in the article as suggested by you…

Reply

Jalal
April 4, 2021 at 6:10 pm

Hi,

Thanks for the great topic…

Reply

Marian
February 24, 2019 at 10:05 pm

Hello again,

This is the type of errors present on DNS co-related with my previous

message

25 of 32 2/9/2023, 10:54 AM
How to Configure FirewallD in RHEL, Rocky & AlmaLinux https://www.tecmint.com/configure-firewalld-rhel-rocky-almalinux/

63023 ServFail 0/0/0 (40)

62993 ServFail 0/0/0 (40)
62993 ServFail 0/0/0 (40)

co-related with

udp port 19316 unreachable, length 78

udp port 16456 unreachable, length 78
udp port 10163 unreachable, length 81

Marian

Reply

← Older Comments

Got something to say? Join the discussion.

Have a question or suggestion? Please leave a comment to start the discussion.
Please keep in mind that all comments are moderated and your email address will
NOT be published.

26 of 32 2/9/2023, 10:54 AM
How to Configure FirewallD in RHEL, Rocky & AlmaLinux https://www.tecmint.com/configure-firewalld-rhel-rocky-almalinux/

Name *

Email *

Save my name, email, and website in this browser for the next time I comment.

Don't subscribe Notify me of followup comments via e-mail. You can also

subscribe without commenting.

Post Comment

27 of 32 2/9/2023, 10:54 AM
How to Configure FirewallD in RHEL, Rocky & AlmaLinux https://www.tecmint.com/configure-firewalld-rhel-rocky-almalinux/

A Beginners Guide To Learn Linux for Free [with Examples]

28 of 32 2/9/2023, 10:54 AM
How to Configure FirewallD in RHEL, Rocky & AlmaLinux https://www.tecmint.com/configure-firewalld-rhel-rocky-almalinux/

Red Hat RHCSA/RHCE 8 Certi�cation Study Guide [eBooks]

Linux Foundation LFCS and LFCE Certi�cation Study Guide [eBooks]

Linux Commands and Tools

29 of 32 2/9/2023, 10:54 AM
How to Configure FirewallD in RHEL, Rocky & AlmaLinux https://www.tecmint.com/configure-firewalld-rhel-rocky-almalinux/

How to Install PuTTY on Linux

An Easy Way to Hide Files and Directories in Linux

How to Create Hard and Symbolic Links in Linux

20 Command Line Tools to Monitor Linux Performance

How to Manage /etc with Version Control Using Etckeeper on Linux

Pssh – Execute Commands on Multiple Remote Linux Servers Using Single Terminal

30 of 32 2/9/2023, 10:54 AM
How to Configure FirewallD in RHEL, Rocky & AlmaLinux https://www.tecmint.com/configure-firewalld-rhel-rocky-almalinux/

Linux Server Monitoring Tools

Observium: A Complete Network Management and Monitoring System for

RHEL/CentOS

Install Cacti (Network Monitoring) on RHEL/CentOS 8/7 and Fedora 30

How to Monitor MySQL/MariaDB Databases using Netdata on CentOS 7

httpstat – A Curl Statistics Tool to Check Website Performance

Duf – A Better Linux Disk Monitoring Utility

ngrep – A Network Packet Analyzer for Linux

Learn Linux Tricks & Tips

How to Disable/Lock or Blacklist Package Updates using Apt Tool

5 Command Line Tools to Find Files Quickly in Linux

How to Upload or Download Files/Directories Using sFTP in Linux

How to Christmassify Your Linux Terminal and Shell

How to Run or Repeat a Linux Command Every X Seconds Forever

5 Ways to Find a ‘Binary Command’ Description and Location on File System

Best Linux Tools

4 Best Linux Boot Loaders

31 of 32 2/9/2023, 10:54 AM
How to Configure FirewallD in RHEL, Rocky & AlmaLinux https://www.tecmint.com/configure-firewalld-rhel-rocky-almalinux/

Best Java IDE’s for Linux Developers

32 Most Used Firefox Add-ons to Improve Productivity in Linux

The Best Microsoft Excel Alternatives for Linux

The Best PowerPoint Alternatives for Linux

7 Best Mail Transfer Agents (MTA’s) for Linux

Donate to TecMint Contact Us Advertise on TecMint Linux Services Copyright Policy

Privacy Policy Career Sponsored Post

Tecmint: Linux Howtos, Tutorials & Guides © 2023. All Rights Reserved.
The material in this site cannot be republished either online or of�ine, without our permission.

Hosting Sponsored by : Linode Cloud Hosting

32 of 32 2/9/2023, 10:54 AM