SUSE Linux Micro 6.2

Introduction to `firewalld`

Publication Date: 24 Oct 2025

WHAT?

Learn about firewalld an important tool for securing Linux servers and services. It is the default and primary network defense mechanism on many modern distributions. The intuitive zone-based management and dynamic configuration capabilities allow for precise control over network traffic without service interruption.

WHY?

firewalld is essential because it provides a modern, dynamic and user-friendly way to manage network security on Linux systems by abstracting complex firewall rules into intuitive zones and services.

EFFORT

It takes you up to 30 minutes to read through this article.

GOAL

To effectively manage and enhance the security of a Linux system.

REQUIREMENTS

sudo or root privileges, because firewalld commands, especially those that make permanent changes to the firewall rules, require elevated privileges.
firewalld is the default firewall on many modern Linux distributions, if it is not preinstalled on your system, you need to install the firewalld package.
A basic understanding of the Linux terminal is essential.

Revision History: Introduction to firewalld

1 About `firewalld` #

firewalld is a dynamic firewall management service that provides a flexible and efficient way to control network traffic on Linux systems. It allows modifications without interrupting existing connections. The benefits of using firewalld are:

Dynamic configuration: Apply changes instantly without breaking existing connections.
User-friendly interface: Zones and services simplify complex firewall rules.
Abstraction: There is no need to directly manipulate nftables rules for common scenarios.
Persistent configuration: Easy management of rules that survive reboots.
Persistent configuration: By default, firewalld operates on a deny-all principle by blocking all incoming traffic unless explicitly allowed.

1.1 `firewalld` zones #

A firewall zone is a predefined set of rules that dictate how incoming and outgoing network traffic is handled for a specific network interface or source IP address. Each zone represents a different level of trust for the network it is associated with. You can apply different security policies based on where the network connection originates.

Zones are like security profiles. For example, you would want to apply different firewall rules for a public Wi-Fi connection and your secure home network. firewalld zones allow you to define these distinct sets of rules and apply them accordingly. A network connection is subject to the rules of only one firewalld zone. A firewalld zone can have many network interfaces or source IP addresses.

The /usr/lib/firewalld/zones/ directory stores the predefined zones. For example:

>  /usr/lib/firewalld/zones ls
block.xml  dmz.xml  docker.xml  drop.xml  external.xml  home.xml  internal.xml  nm-shared.xml  public.xml  trusted.xml  work.xml

Some of the default settings of the predefined zones are as follows:

drop

Trust level: Completely untrusted.
Behavior: All incoming network packets are dropped without any reply. Only outgoing connections initiated from the system are allowed. This provides a “stealth” mode where the system appears nonexistent to external attackers.
Use Case: Used for maximum stealth and security, completely ignoring unwanted traffic. Suitable as a strict default for a server that should never accept incoming connections.

block

Trust level: Very low.
Behavior: All incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and cmp6-adm-prohibitedi for IPv6. This informs the sender that their connection was explicitly rejected. Only outgoing connections initiated from the system are possible.
Use Case: Applied when you want to explicitly signal to senders that their connection attempts are being blocked.

public

Trust level: Untrusted or public.
Behavior: Represents public, untrusted networks where you do not trust other systems. Only selected incoming connections are accepted by default for example, SSH, DHCPv6 client, etc.
Use Case: Common default zone for interfaces connected directly to the Internet, such as your router's WAN interface. Also includes being connected to a network where you have no control over other devices.

external

Trust level: External with masquerading.
Behavior: Intended for external networks when the firewall acts as a gateway or router. Usually, NAT masquerading is enabled by default.Only selected incoming connections are accepted, under the assumption that you do not trust other systems on this network.
Use Case: Used when your Linux machine acts as a router, connecting an internal private network to the public Internet. The external interface is placed in this zone to hide internal network topology while allowing internal clients to access external resources such as the Internet.

dmz (Demilitarized Zone)

Trust level: Limited public access.
Behavior: For systems in a DMZ zone that are publicly accessible but with limited access to the internal network. Only selected incoming connections are accepted. The default usually includes SSH and other services you expose.
Use Case: Suitable for public-facing servers such as Web, mail and DNS servers. These servers are intentionally exposed to the Internet but are isolated from your internal, more trusted networks. Useful when you want to host services that need to be Internet-accessible while minimizing the risk to your core internal infrastructure.

work

Trust level: Mostly trusted (work environment).
Behavior: In a work environment, you usually trust other computers on the network. Allows selected incoming connections that are common in a work environment, such as SSH and DHCPv6 client.
Use Case: Suitable for office networks and systems on a corporate LAN.

home

Trust level: Mostly trusted (home environment).
Behavior: In a home environment, you mostly trust the other systems on the network. Allows more services than public or external zones, often including common home network services like file sharing, media servers, and printers, along with SSH and DHCPv6 client.
Use case: Best for home networks and small home office setups.

trusted

Trust level: Highest.
Behavior: All network connections are accepted without any filtering. Firewalling is not implemented for connections assigned to this zone.
Use Case: Reserved for highly trusted connections.

1.2 `firewalld` policies and rules #

firewalld policies provide a more advanced and flexible way to manage network traffic compared to traditional zones. They allow you to define rich rules that specify the source and destination of traffic, services, ports and actions such as accept, reject and drop. These policies are useful for setting up complex routing, port forwarding or creating isolated network segments within a single host.

firewalld policies leverage zones to define rule sets. They apply rules statefully and in one direction, which means you define traffic flow in one direction, and firewalld implicitly permits the return path. These policies link an ingress zone (where traffic enters) with an egress zone (where traffic exits). This defines the specific path and direction a policy's rules apply to. You can view the policies, for example:

>  /usr/lib/firewalld/policies ls
allow-host-ipv6.xml

Firewall rules let you precisely control network traffic, allowing or blocking it to protect your system from security threats. Firewall rules define certain criteria based on various attributes such as, source and destination IP addresses, ports and network interfaces. firewalld segregates firewall rules into zones and policies. Each zone in firewalld has a unique set of rules that dictates the traffic permissions for its associated network interfaces.

1.3 Services and ports #

Services are recommended when a predefined service is available. For example, instead of remembering that HTTP uses TCP port 80, you can simply add the http service. This is less error-prone and easier to manage. Use ports when a service is not predefined or when you are using a custom port for a service. You can view the active services and ports for the default zones with the following:

> sudo  firewall-cmd --list-services

> sudo  firewall-cmd --list-ports

2 Managing firewall rules and zones #

You can configure firewalld zones and their rules with the graphical Web interface Cockpit or the firewall-cmdutility for command-line control.

2.1 Managing firewall rules and zones using the `firewalld-cmd` utility #

You can use the CLI interface to manage firewalld zones.

2.1.1 Adding `firewalld` zones #

To add a new firewalld zone:

Create a new zone, for example:

> sudo firewall-cmd --permanent --new-zone=test

Set the trust level of the zone that defines the default behavior:

> sudo firewall-cmd --permanent --zone=example --set-target=trusted

Reload the firewalld service to apply the new configuration:
```
> sudo firewall-cmd --reload
```

2.1.2 Adding a service to a zone #

To add a service to a zone:

List all services to check if your service is already predefined:

> sudo firewall-cmd --get-services
      0-AD RH-Satellite-6 RH-Satellite-6-capsule afp alvr amanda-client amanda-k5-client amqp amqps anno-1602
      anno-1800 apcupsd audit ausweisapp2 bacula bacula-client bareos-director bareos-filedaemon bareos-storage bb bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc bittorrent-lsd ceph ceph-exporter ceph-mon cfengine checkmk-agent civilization-iv civilization-v cockpit collectd condor-collector cratedb ctdb dds dds-multicast dds-unicast dhcp dhcpv6 dhcpv6-client distcc dns dns-over-quic dns-over-tls docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server factorio finger foreman foreman-proxy freeipa-4 freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp galera
      ganglia-client ganglia-master git gpsd grafana gre http http3 https ident imap imaps ipfs ipp ipp-client ipsec irc ircs
      [...]

You can add a service either temporarily for the runtime session or permanently, for example:
```
> sudo  firewall-cmd --zone=public --add-service=http
```
```
> sudo  firewall-cmd --zone=public --permanent --add-service=http
```
The --permanent flag ensures the change persists across all reboots.
Reload the firewalld service to apply the new configuration:
```
> sudo firewall-cmd --reload
```

Verify the results:

> sudo firewall-cmd --zone=public --list-services

2.1.3 Adding a port to a zone #

If your application does not have a predefined service, you can open a specific port or a range of ports.

You can either add a port temporarily for the runtime session or permanently, for example:
```
> sudo  firewall-cmd --zone=public --add-port=8080/tcp
```
```
> sudo  firewall-cmd --zone=public --permanent --add-port=8080/tcp
```
The --permanentflag ensures the change persists across all reboots.
Reload the firewalld service to apply the new configuration:
```
> sudo firewall-cmd --reload
```

Verify the results:

> sudo firewall-cmd --zone=public --list-ports

2.1.4 Deleting `firewalld` zones #

To delete a zone:

Verify the zone is not the default or in use:
```
> sudo  firewall-cmd --get-default-zone
```
If the zone is in use or default, set a different zone, for example:
```
> sudo  firewall-cmd --set-default-zone=NEW_DEFAULT_ZONE
```

Check if any network interfaces are bound to the zone:

> sudo firewall-cmd --zone=ZONE_TO_BE_DELETED --list-all

The interfaces field in the output lists all the interfaces. Theses interfaces need to be reassigned to another zone. For example:
```
> sudo firewall-cmd --zone=public --permanent --change-interface=ITERFACE_NAME
```

Delete the zone:

> sudo firewall-cmd --permanent --delete-zone=ZONE_TO_BE_DELETED

Reload the firewalld service to apply the new configuration:
```
> sudo firewall-cmd --reload
```

2.2 Managing firewall rules and zones with Cockpit #

Cockpit enables you to create new zones or update the existing ones. In the firewall settings, you can add services to a zone or allow access to ports.

Note: Cockpit service is mandatory

Do not remove the Cockpit service from the default firewall zone as the Cockpit service may get blocked, and you may get disconnected from the server.

2.2.1 Adding firewall zones #

The public zone is the default firewall zone. To add a new zone, proceed as follows:

Procedure 1: Adding new firewall zones #

Navigate to the Networking page.
Click Edit rules and zones.
Click Add new zone.
Select Trust level. Each trust level of network connections has a predefined set of included services (the Cockpit service is included in all trust levels). The description for each trust level appears in the Description section.
Define allowed addresses within the zone. Select one of the values:
- Entire subnet to allow all addresses in the subnet.
- Range—a comma-separated list of IP addresses with the routing prefix, for example, 192.0.2.0/24, 2001:db8::/32.
Click Add zone.

2.2.2 Adding allowed services and ports to a zone #

You can add services to an existing firewall zone as described below:

Procedure 2: Adding services to a firewall zone #

Navigate to the Networking page.
Click Edit rules and zones.
Click Add services.
To add a service, select Services and choose the services from the list.
To allow custom ports, select Custom ports and specify the port value for UDP and/or TCP. You can assign an identifier to this port.
To confirm the changes, click Add services or Add ports, respectively.

3 Common `firewalld` commands #

The firewall-cmd command-line tool is used to configure and manage the firewalld daemon. It is a powerful, dynamic utility that allows for the creation, modification, and deletion of firewall rules without requiring a full service restart, which prevents interruption of active network connections.

Some common firewall-cmd command examples include:

Checking if firewalld is running. The outputs are running, not running or RUNNING_BUT_FAILED. For example:
```
> sudo firewall-cmd --state
running
```

Listing all available zones, for example:

> sudo firewall-cmd --get-zones
 block dmz docker drop external home internal nm-shared public trusted work

Viewing the default zone, for example:

> sudo firewall-cmd --get-default-zone
public

Viewing the active zones and the assigned, for example:

> sudo firewall-cmd --get-active-zones
docker
interfaces: docker0
public (default)
interfaces: lo enp1s0

Viewing all rules for the default zone, for example:

> sudo firewall-cmd --list-all
public (default, active)
target: default
ingress-priority: 0
egress-priority: 0
icmp-block-inversion: no
interfaces: enp1s0 lo
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.1.100" service name="ssh" accept

Viewing all rules for a specific zone, for example:

> sudo firewall-cmd --zone=public --list-all
public (default, active)
target: default
ingress-priority: 0
egress-priority: 0
icmp-block-inversion: no
interfaces: enp1s0 lo
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.1.100" service name="ssh" accept

Listing all available predefined services, for example:

> sudo firewall-cmd --get-services
  0-AD RH-Satellite-6 RH-Satellite-6-capsule afp alvr amanda-client amanda-k5-client amqp amqps anno-1602 anno-1800
  apcupsd audit ausweisapp2 bacula bacula-client bareos-director bareos-filedaemon bareos-storage bb bgp bitcoin bitcoin-rpc
  bitcoin-testnet bitcoin-testnet-rpc bittorrent-lsd ceph ceph-exporter ceph-mon cfengine checkmk-agent civilization-iv civilization-v
  cockpit collectd condor-collector cratedb ctdb dds dds-multicast dds-unicast dhcp dhcpv6 dhcpv6-client distcc dns dns-over-quic dns-over-tls
  docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server factorio finger foreman foreman-proxy freeipa-4 freeipa-ldap
  freeipa-ldaps freeipa-replication freeipa-trust ftp galera ganglia-client ganglia-master git gpsd grafana gre http http3 https ident imap imaps
  ipfs ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kdeconnect kerberos kibana klogin kpasswd kprop kshell kube-api kube-apiserver
  kube-control-plane kube-control-plane-secure kube-controller-manager kube-controller-manager-secure kube-nodeport-services kube-scheduler kube-scheduler-secure
  [...]

Listing the services currently allowed in the default zone, for example:
```
> sudo firewall-cmd --list-services
cockpit dhcpv6-client ssh
```

Adding a service to the default zone permanently, for example:

> sudo  firewall-cmd --permanent --add-service=http
success

Removing a service permanently, for example:

> sudo firewall-cmd --permanent --remove-service=http
success

Listing the ports currently open in the default zone, for example:
```
> sudo firewall-cmd --list-ports
22/tcp
```
Opening a specific TCP port temporarily, for example:
```
> sudo firewall-cmd --add-port=8080/tcp
success
```

Removing an open port permanently, for example:

> sudo firewall-cmd --permanent --remove-port=8080/tcp
success

Adding an interface to a specific zone temporarily, for example:

> sudo firewall-cmd --zone=trusted --add-interface=eth1 f
success

4 `firewalld` troubleshooting #

Troubleshooting firewalld involves checking its status, verifying rules, and restarting or reloading the service. If you encounter issues, you can enable debugging, examine logs and adjust firewall rules as needed.

4.1 Check `firewalld` status #

Use the systemctl status command, for example:

> sudo systemctl status  firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; preset: enabled)
Active: active (running) since Thu 2025-07-17 09:47:36 CEST; 5min ago
Invocation: a7ea482f16d2431fa92d6204c297ebd9
Docs: man:firewalld(1)
Main PID: 921 (firewalld)
Tasks: 2
CPU: 262ms
CGroup: /system.slice/firewalld.service
        └─921 /usr/bin/python3.13 /usr/sbin/firewalld --nofork --nopid

The firewall-cmd --state command gives a quick status check with running, not running or RUNNING_BUT_FAILED outputs. For example:
```
> sudo firewall-cmd --state
running
```
If firewalld is not running, use the systemctl start firewalld command.
```
> sudo  systemctl start firewalld
```

If the firewalld service is masked, unmask it first, then enable and start it, for example:

> sudo systemctl unmask --now firewalld

> sudo systemctl enable firewalld

> sudo systemctl start firewalld

4.2 Check `firewalld` rules #

The firewall-cmd --list-all-zones command displays all zones and their rules, for example:

> sudo firewall-cmd --list-all-zones
        block
          target: %%REJECT%%
          ingress-priority: 0
          egress-priority: 0
          icmp-block-inversion: no
          interfaces:
          sources:
          services:
          ports:
          protocols:
          forward: yes
          masquerade: no
          forward-ports:
          source-ports:
          icmp-blocks:
          rich rules:

        dmz
          target: default
          ingress-priority: 0
          egress-priority: 0
          icmp-block-inversion: no
          interfaces:
          sources:
          services: ssh
          ports:
          protocols:
          forward: yes
          masquerade: no
          forward-ports:
          source-ports:
          icmp-blocks:
          rich rules:

        docker (active)
          target: ACCEPT
          ingress-priority: 0
          egress-priority: 0
          icmp-block-inversion: no
          [...]

The firewall-cmd --list-ports command shows open ports,for example:
```
> sudo firewall-cmd --list-ports
22/tcp
```

The firewall-cmd --zone=YOUR_ZONE --list-all. command lists ports for specific zones, for example:

> sudo firewall-cmd --zone=dmz --list-all
                dmz
                  target: default
                  ingress-priority: 0
                  egress-priority: 0
                  icmp-block-inversion: no
                  interfaces:
                  sources:
                  services: ssh
                  ports:
                  protocols:
                  forward: yes
                  masquerade: no
                  forward-ports:
                  source-ports:
                  icmp-blocks:
                  rich rules:

4.3 Debugging `firewalld` #

Enable debugging in /etc/sysconfig/firewalld by adding --debug=[level] to FIREWALLD_ARGS, for example:

> sudo  vi /etc/sysconfig/firewalld
# firewalld command line args
# possible values: --debug
FIREWALLD_ARGS=--debug=[level]

Start firewalld with the --debugoption, for example:

> sudo firewalld --nofork --debug
2025-07-23 11:10:05 DEBUG1: start()
2025-07-23 11:10:05 DEBUG1: Loading firewalld config file '/etc/firewalld/firewalld.conf'
2025-07-23 11:10:05 DEBUG1: CleanupOnExit is set to 'True'
2025-07-23 11:10:05 DEBUG1: CleanupModulesOnExit is set to 'False'
2025-07-23 11:10:05 DEBUG1: IPv6 rpfilter is enabled
2025-07-23 11:10:05 DEBUG1: LogDenied is set to 'off'
2025-07-23 11:10:05 DEBUG1: FirewallBackend is set to 'nftables'
2025-07-23 11:10:05 DEBUG1: FlushAllOnReload is set to 'False'
2025-07-23 11:10:05 DEBUG1: RFC3964_IPv4 is set to 'True'
2025-07-23 11:10:05 DEBUG1: NftablesFlowtable is set to 'off'
2025-07-23 11:10:05 DEBUG1: NftablesCounters is set to 'False'
2025-07-23 11:10:05 DEBUG1: Loading lockdown whitelist
2025-07-23 11:10:05 ipset not usable, disabling ipset usage in firewall. Other set backends (nftables) remain usable.
2025-07-23 11:10:05 iptables-restore and iptables are missing, IPv4 direct rules won't be usable.
2025-07-23 11:10:05 ip6tables-restore and ip6tables are missing, IPv6 direct rules won't be usable.
2025-07-23 11:10:05 ebtables-restore and ebtables are missing, eb direct rules won't be usable.
2025-07-23 11:10:05 DEBUG1: Loading icmptype file '/usr/lib/firewalld/icmptypes/address-unreachable.xml'
2025-07-23 11:10:05 DEBUG1: Loading icmptype file '/usr/lib/firewalld/icmptypes/bad-header.xml'
2025-07-23 11:10:05 DEBUG1: Loading icmptype file '/usr/lib/firewalld/icmptypes/beyond-scope.xml'
2025-07-23 11:10:05 DEBUG1: Loading icmptype file '/usr/lib/firewalld/icmptypes/communication-prohibited.xml'
2025-07-23 11:10:05 DEBUG1: Loading icmptype file '/usr/lib/firewalld/icmptypes/destination-unreachable.xml'
[...]

All log files are available at /var/log/firewalld.

5 More information #

To learn more about firewalld, refer to the following resources:

6 Legal Notice #

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled “GNU Free Documentation License”.

For SUSE trademarks, see https://www.suse.com/company/legal/. All other third-party trademarks are the property of their respective owners. Trademark symbols (®, ™ etc.) denote trademarks of SUSE and its affiliates. Asterisks (*) denote third-party trademarks.

All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE LLC, its affiliates, the authors, nor the translators shall be held liable for possible errors or the consequences thereof.

Introduction to firewalld

1 About firewalld #

1.1 firewalld zones #

1.2 firewalld policies and rules #

1.3 Services and ports #

2 Managing firewall rules and zones #

2.1 Managing firewall rules and zones using the firewalld-cmd utility #

2.1.1 Adding firewalld zones #

2.1.2 Adding a service to a zone #

2.1.3 Adding a port to a zone #

2.1.4 Deleting firewalld zones #

2.2 Managing firewall rules and zones with Cockpit #

2.2.1 Adding firewall zones #

2.2.2 Adding allowed services and ports to a zone #

3 Common firewalld commands #

4 firewalld troubleshooting #

4.1 Check firewalld status #

4.2 Check firewalld rules #

4.3 Debugging firewalld #

5 More information #

6 Legal Notice #

Introduction to `firewalld`

1 About `firewalld` #

1.1 `firewalld` zones #

1.2 `firewalld` policies and rules #

2.1 Managing firewall rules and zones using the `firewalld-cmd` utility #

2.1.1 Adding `firewalld` zones #

2.1.4 Deleting `firewalld` zones #

3 Common `firewalld` commands #

4 `firewalld` troubleshooting #

4.1 Check `firewalld` status #

4.2 Check `firewalld` rules #

4.3 Debugging `firewalld` #