Firewalld Made Simple: A Beginner’s Guide to Managing the Linux Firewall

 

If you’re learning Linux administration, one of the most important skills you can develop is understanding how to manage a firewall.

A firewall helps control which network traffic can reach your system and which traffic should be blocked. Whether you’re managing a personal Linux machine, a web server, or a virtual machine in a lab environment, understanding the basics of firewalld can help you secure your system with confidence.

The good news is that firewalld makes firewall management much easier than manually creating firewall rules. In this guide, we’ll walk through the most common tasks you’ll perform as a Linux administrator.

What Is Firewalld?

Firewalld is a firewall management tool used by many Linux distributions.

Think of it as a security guard standing at the entrance to your system.

When network traffic arrives, firewalld decides whether it should be allowed through or blocked.

Instead of working directly with complex firewall rules, firewalld provides simple commands that make managing access much easier.

Before making any changes, let’s first verify that firewalld is running.


Check Firewalld Status

Use the following command:

sudo systemctl status firewalld

Example output:

firewalld.service - firewalld 
Loaded: loaded
Active: active (running)

The most important line is:

Active: active (running)

If you see this, firewalld is currently running and protecting your system.

Why This Matters

When troubleshooting connectivity issues, checking the firewall status is often one of the first things a system administrator does.

If the firewall service isn’t running, your system may not be protected as expected.


Start Firewalld

If firewalld isn’t running, start it with:

sudo systemctl start firewalld

Then verify it started correctly:

sudo systemctl status firewalld

This starts the service immediately, but it won’t automatically start after a reboot unless you enable it.


Enable Firewalld at Boot

To make sure firewalld starts automatically whenever the system boots:

sudo systemctl enable firewalld

Example output:

Created symlink...

Why This Matters

Most servers run continuously and may occasionally reboot after updates or maintenance.

Enabling firewalld ensures your firewall protection is automatically restored after every restart.


View Active Firewall Rules

To see the current firewall configuration:

sudo firewall-cmd --list-all

Example output:

public (active) 
target: default
services: cockpit dhcpv6-client ssh
ports:

Notice the services section:

ssh

This indicates that SSH traffic is currently allowed through the firewall.

Why This Matters

If users cannot connect to a service, this command is often one of the first places to look.


View Allowed Services

To display only the currently allowed services:

sudo firewall-cmd --list-services

Example output:

cockpit dhcpv6-client ssh

This provides a quick overview of what services are currently accessible through the firewall.


Allow SSH Access

SSH is commonly used to remotely manage Linux servers.

To allow SSH access:

sudo firewall-cmd --permanent --add-service=ssh

Example output:

success

Reload the firewall:

sudo firewall-cmd --reload

Verify the change:

sudo firewall-cmd --list-services

Understanding –permanent

The --permanent option saves the rule across reboots.

Without it, the rule disappears after restarting firewalld.

Real World Example

Before managing a server remotely, administrators ensure SSH is allowed. Otherwise, they risk locking themselves out of the system.


Allow Web Traffic (HTTP)

If you’re hosting a website, you’ll need to allow HTTP traffic.

Add HTTP:

sudo firewall-cmd --permanent --add-service=http

Reload the firewall:

sudo firewall-cmd --reload

Verify:

sudo firewall-cmd --list-services

Example output:

cockpit dhcpv6-client ssh http

Visitors can now access websites running on the server.


Allow Secure Web Traffic (HTTPS)

Most modern websites use HTTPS encryption.

Allow HTTPS traffic:

sudo firewall-cmd --permanent --add-service=https

Reload:

sudo firewall-cmd --reload

Verify:

sudo firewall-cmd --list-services

Example output:

cockpit dhcpv6-client ssh http https

Why This Matters

Without HTTPS access, users cannot securely connect to your website.


Open a Specific Port

Some applications use custom ports rather than predefined services.

For example, an application may listen on port 8080.

Open the port:

sudo firewall-cmd --permanent --add-port=8080/tcp

Reload:

sudo firewall-cmd --reload

Verify:

sudo firewall-cmd --list-ports

Example output:

8080/tcp

Real World Example

Internal business applications often use custom ports. Opening the correct port is required before users can access the application.


Remove an Open Port

When an application is no longer in use, it’s a good idea to close any unnecessary ports.

Remove the port:

sudo firewall-cmd --permanent --remove-port=8080/tcp

Reload:

sudo firewall-cmd --reload

Verify:

sudo firewall-cmd --list-ports

If no output appears, the port has been successfully removed.


Remove a Service

To remove HTTP access:

sudo firewall-cmd --permanent --remove-service=http

Reload:

sudo firewall-cmd --reload

Verify:

sudo firewall-cmd --list-services

Why This Matters

Removing services that are no longer needed reduces your system’s attack surface.


View Available Services

If you’re unsure of the exact service name, use:

sudo firewall-cmd --get-services

Example output:

ssh 
http
https
dns
smtp
imap
mysql
postgresql

These predefined services make firewall management easier because you don’t need to memorize port numbers.


View the Active Zone

To see the active firewall zone:

sudo firewall-cmd --get-active-zones

Example output:

public 
interfaces: ens33

A zone is simply a collection of firewall rules.

Most beginner systems use the public zone, which is perfectly fine when you’re getting started.


Common Beginner Mistakes

Forgetting to Reload

Many new users add a firewall rule but forget to reload the configuration.

For example:

sudo firewall-cmd --permanent --add-service=http

Must be followed by:

sudo firewall-cmd --reload

Otherwise, the rule won’t become active.

Forgetting –permanent

Without the --permanent option, your changes disappear after restarting firewalld.

Opening the Wrong Port

Before opening a port, verify which port your application is actually using.

A helpful command is:

ss -tulnp

This displays listening services and their associated ports.


Practical Example: Troubleshooting a Web Server

Imagine you’ve deployed a web application.

The server is running.

The application is installed.

Everything appears healthy.

However, users cannot access the website.

You check the firewall:

sudo firewall-cmd --list-services

Output:

ssh

You immediately notice that HTTP is missing.

Add HTTP:

sudo firewall-cmd --permanent --add-service=http

Reload:

sudo firewall-cmd --reload

Users can now access the application.

This is one of the most common firewall-related troubleshooting scenarios in day-to-day Linux administration.


Where to Go Next

Once you’re comfortable allowing services and opening ports, the next topic to explore is zones.

Zones allow you to apply different firewall policies depending on the network environment.

For example:

  • Home network

  • Office network

  • Public WiFi

You don’t need to learn zones immediately, but they are the logical next step as your Linux skills grow.


Conclusion

Firewalld provides a straightforward way to manage firewall rules on Linux systems.

By learning how to:

  • Check firewall status

  • Start and enable firewalld

  • View rules

  • Allow services

  • Open ports

  • Remove unused access

  • Troubleshoot common issues

you’ll be able to handle most everyday firewall management tasks with confidence.

Like most Linux skills, the key is repetition. Practice these commands in a lab environment a few times, and they’ll quickly become part of your normal workflow.