firewall-cmd Command Generator
Generate firewall-cmd commands to configure firewalld zones, services, and ports (RHEL/CentOS/Fedora)
Getting Started with firewall-cmd
## What is firewall-cmd?
`firewall-cmd` is the command-line client for `firewalld`, the dynamic firewall manager used on RHEL, CentOS, Fedora, and other Red Hat-family distributions. It groups rules into **zones** (e.g. `public`, `home`, `dmz`) and applies changes either immediately (runtime) or persistently with `--permanent`.
## How to Use
1. **Pick an action**: `add-service`, `add-port`, `remove-service`, `remove-port`, `list-all`, `reload`, or `permanent-query`. 2. **Set values**: For service/port actions, fill the `service` (e.g. `http`) or `port` (e.g. `80/tcp`) field. 3. **Choose a zone** (optional): defaults to the default zone (usually `public`). 4. **Make it permanent**: Tick `--permanent` to survive reboots, then run `reload`. 5. **Copy & Run**: Prefix with `sudo`.
Common Actions & Options
### `--add-service=NAME` / `--remove-service=NAME` Open or close a named service defined in `/usr/lib/firewalld/services` (e.g. `http`, `https`, `ssh`). The service knows its protocol and port.
### `--add-port=PORT/PROTO` / `--remove-port=PORT/PROTO` Open or close an arbitrary port, e.g. `8080/tcp`. Use this when no service definition exists.
### `--list-all` Print everything active in a zone: services, ports, sources, interfaces, and the default target.
### `--reload` Reload the permanent configuration into the runtime — run this after `--permanent` changes so they take effect immediately.
### `--zone=NAME` Target a specific zone (`public`, `home`, `internal`, `dmz`, `block`, `trusted`). Without it, firewalld uses the default zone.
### `--permanent` Write the change to disk so it survives reboot. Changes without `--permanent` are runtime-only and lost on reload or restart. Best practice: apply the rule twice — once with `--permanent` and once without — or use `--permanent` then `--reload`.
▶How does firewalld relate to iptables and nftables?
▶Why didn't my --permanent rule take effect immediately?
▶How do I open HTTP and HTTPS permanently on the public zone?
If this tool has been helpful to you, consider buying me a coffee.
Buy me a coffee