firewalld Cheat Sheet
Copy-friendly firewall-cmd commands for checking status, listing zones, allowing services, opening ports, saving permanent rules and troubleshooting Linux firewall issues.
Status checks
Check service status
systemctl status firewalldCheck firewalld state
firewall-cmd --stateStart and enable
sudo systemctl enable --now firewalldReload rules
sudo firewall-cmd --reloadZones
Default zone
firewall-cmd --get-default-zoneActive zones
firewall-cmd --get-active-zonesList current zone
firewall-cmd --list-allList a specific zone
firewall-cmd --zone=public --list-allSet default zone
sudo firewall-cmd --set-default-zone=publicList all zones
firewall-cmd --get-zonesServices
List allowed services
firewall-cmd --list-servicesList known services
firewall-cmd --get-servicesAllow HTTP
sudo firewall-cmd --add-service=httpAllow HTTPS
sudo firewall-cmd --add-service=httpsAllow SSH permanently
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --reloadRemove service
sudo firewall-cmd --remove-service=httpPorts
List open ports
firewall-cmd --list-portsOpen TCP port
sudo firewall-cmd --add-port=8080/tcpOpen UDP port
sudo firewall-cmd --add-port=5353/udpOpen port range
sudo firewall-cmd --add-port=3000-3010/tcpOpen port permanently
sudo firewall-cmd --permanent --add-port=8443/tcp
sudo firewall-cmd --reloadRemove port
sudo firewall-cmd --remove-port=8080/tcpRuntime vs permanent
Temporary rule
sudo firewall-cmd --add-service=httpsApplies now, but may disappear after reload or reboot.
Permanent rule
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reloadSave tested runtime rules
sudo firewall-cmd --runtime-to-permanentReload permanent config
sudo firewall-cmd --reloadRemove rules
Remove service now
sudo firewall-cmd --remove-service=httpsRemove service permanently
sudo firewall-cmd --permanent --remove-service=https
sudo firewall-cmd --reloadRemove port now
sudo firewall-cmd --remove-port=8080/tcpRemove port permanently
sudo firewall-cmd --permanent --remove-port=8080/tcp
sudo firewall-cmd --reloadRich rules
List rich rules
firewall-cmd --list-rich-rulesAllow SSH from one IP
sudo firewall-cmd --add-rich-rule='rule family="ipv4" source address="203.0.113.10" service name="ssh" accept'Permanent rich rule
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="203.0.113.10" service name="ssh" accept'
sudo firewall-cmd --reloadRemove rich rule
sudo firewall-cmd --remove-rich-rule='rule family="ipv4" source address="203.0.113.10" service name="ssh" accept'Troubleshooting commands
Show firewall config
firewall-cmd --list-allCheck active zones
firewall-cmd --get-active-zonesCheck listening ports
ss -tulpnCheck service logs
journalctl -u firewalld -n 100 --no-pagerCheck application status
systemctl status nginxTest web response
curl -I https://example.comCommon examples
Allow web traffic
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reloadAllow custom app port
sudo firewall-cmd --permanent --add-port=8080/tcp
sudo firewall-cmd --reloadCheck before opening a port
ss -tulpn | grep ':8080'View full public zone
firewall-cmd --zone=public --list-allSafe firewalld rule workflow
# Check active zones
firewall-cmd --get-active-zones
# List current zone rules
firewall-cmd --list-all
# Permanently allow HTTPS
firewall-cmd --permanent --add-service=https
# Reload and confirm
firewall-cmd --reload
firewall-cmd --list-servicesBe careful when changing SSH access remotely. Confirm your current access path before reloading firewall rules.
Frequently Asked Questions
What is a firewalld zone?
A zone is a trust level that controls which services and ports are allowed.
What does --permanent do?
It saves the rule so it persists after reloads and reboots.
Do I need to reload firewalld?
Yes, after permanent changes you generally run firewall-cmd --reload.
How do I list open services?
Use firewall-cmd --list-services.