If you’re learning Linux administration, one of the most important skills you can develop is understanding how to manage a firewall.
A firewall helps control which network traffic can reach your system and which traffic should be blocked. Whether you’re managing a personal Linux machine, a web server, or a virtual machine in a lab environment, understanding the basics of firewalld can help you secure your system with confidence.
The good news is that firewalld makes firewall management much easier than manually creating firewall rules. In this guide, we’ll walk through the most common tasks you’ll perform as a Linux administrator.
What Is Firewalld?
Firewalld is a firewall management tool used by many Linux distributions.
Think of it as a security guard standing at the entrance to your system.
When network traffic arrives, firewalld decides whether it should be allowed through or blocked.
Instead of working directly with complex firewall rules, firewalld provides simple commands that make managing access much easier.
Before making any changes, let’s first verify that firewalld is running.
Check Firewalld Status
Use the following command:
sudo systemctl status firewalld
Example output:
●firewalld.service - firewalldLoaded: loadedActive: active (running)
The most important line is:
Active: active (running)
If you see this, firewalld is currently running and protecting your system.
Why This Matters
When troubleshooting connectivity issues, checking the firewall status is often one of the first things a system administrator does.
If the firewall service isn’t running, your system may not be protected as expected.
Start Firewalld
If firewalld isn’t running, start it with:
sudo systemctl start firewalld
Then verify it started correctly:
sudo systemctl status firewalld
This starts the service immediately, but it won’t automatically start after a reboot unless you enable it.
Enable Firewalld at Boot
To make sure firewalld starts automatically whenever the system boots:
sudo systemctl enable firewalld
Example output:
Created symlink...
Why This Matters
Most servers run continuously and may occasionally reboot after updates or maintenance.
Enabling firewalld ensures your firewall protection is automatically restored after every restart.
View Active Firewall Rules
To see the current firewall configuration:
sudo firewall-cmd --list-all
Example output:
public (active)target: defaultservices: cockpit dhcpv6-client sshports:
Notice the services section:
ssh
This indicates that SSH traffic is currently allowed through the firewall.
Why This Matters
If users cannot connect to a service, this command is often one of the first places to look.
View Allowed Services
To display only the currently allowed services:
sudo firewall-cmd --list-services
Example output:
cockpit dhcpv6-client ssh
This provides a quick overview of what services are currently accessible through the firewall.
Allow SSH Access
SSH is commonly used to remotely manage Linux servers.
To allow SSH access:
sudo firewall-cmd --permanent --add-service=ssh
Example output:
success
Reload the firewall:
sudo firewall-cmd --reload
Verify the change:
sudo firewall-cmd --list-services
Understanding –permanent
The --permanent option saves the rule across reboots.
Without it, the rule disappears after restarting firewalld.
Real World Example
Before managing a server remotely, administrators ensure SSH is allowed. Otherwise, they risk locking themselves out of the system.
Allow Web Traffic (HTTP)
If you’re hosting a website, you’ll need to allow HTTP traffic.
Add HTTP:
sudo firewall-cmd --permanent --add-service=http
Reload the firewall:
sudo firewall-cmd --reload
Verify:
sudo firewall-cmd --list-services
Example output:
cockpit dhcpv6-client ssh http
Visitors can now access websites running on the server.
Allow Secure Web Traffic (HTTPS)
Most modern websites use HTTPS encryption.
Allow HTTPS traffic:
sudo firewall-cmd --permanent --add-service=https
Reload:
sudo firewall-cmd --reload
Verify:
sudo firewall-cmd --list-services
Example output:
cockpit dhcpv6-client ssh http https
Why This Matters
Without HTTPS access, users cannot securely connect to your website.
Open a Specific Port
Some applications use custom ports rather than predefined services.
For example, an application may listen on port 8080.
Open the port:
sudo firewall-cmd --permanent --add-port=8080/tcp
Reload:
sudo firewall-cmd --reload
Verify:
sudo firewall-cmd --list-ports
Example output:
8080/tcp
Real World Example
Internal business applications often use custom ports. Opening the correct port is required before users can access the application.
Remove an Open Port
When an application is no longer in use, it’s a good idea to close any unnecessary ports.
Remove the port:
sudo firewall-cmd --permanent --remove-port=8080/tcp
Reload:
sudo firewall-cmd --reload
Verify:
sudo firewall-cmd --list-ports
If no output appears, the port has been successfully removed.
Remove a Service
To remove HTTP access:
sudo firewall-cmd --permanent --remove-service=http
Reload:
sudo firewall-cmd --reload
Verify:
sudo firewall-cmd --list-services
Why This Matters
Removing services that are no longer needed reduces your system’s attack surface.
View Available Services
If you’re unsure of the exact service name, use:
sudo firewall-cmd --get-services
Example output:
sshhttphttpsdnssmtpimapmysqlpostgresql
These predefined services make firewall management easier because you don’t need to memorize port numbers.
View the Active Zone
To see the active firewall zone:
sudo firewall-cmd --get-active-zones
Example output:
publicinterfaces: ens33
A zone is simply a collection of firewall rules.
Most beginner systems use the public zone, which is perfectly fine when you’re getting started.
Common Beginner Mistakes
Forgetting to Reload
Many new users add a firewall rule but forget to reload the configuration.
For example:
sudo firewall-cmd --permanent --add-service=http
Must be followed by:
sudo firewall-cmd --reload
Otherwise, the rule won’t become active.
Forgetting –permanent
Without the --permanent option, your changes disappear after restarting firewalld.
Opening the Wrong Port
Before opening a port, verify which port your application is actually using.
A helpful command is:
ss -tulnp
This displays listening services and their associated ports.
Practical Example: Troubleshooting a Web Server
Imagine you’ve deployed a web application.
The server is running.
The application is installed.
Everything appears healthy.
However, users cannot access the website.
You check the firewall:
sudo firewall-cmd --list-services
Output:
ssh
You immediately notice that HTTP is missing.
Add HTTP:
sudo firewall-cmd --permanent --add-service=http
Reload:
sudo firewall-cmd --reload
Users can now access the application.
This is one of the most common firewall-related troubleshooting scenarios in day-to-day Linux administration.
Where to Go Next
Once you’re comfortable allowing services and opening ports, the next topic to explore is zones.
Zones allow you to apply different firewall policies depending on the network environment.
For example:
-
Home network
-
Office network
-
Public WiFi
You don’t need to learn zones immediately, but they are the logical next step as your Linux skills grow.
Conclusion
Firewalld provides a straightforward way to manage firewall rules on Linux systems.
By learning how to:
-
Check firewall status
-
Start and enable firewalld
-
View rules
-
Allow services
-
Open ports
-
Remove unused access
-
Troubleshoot common issues
you’ll be able to handle most everyday firewall management tasks with confidence.
Like most Linux skills, the key is repetition. Practice these commands in a lab environment a few times, and they’ll quickly become part of your normal workflow.