Mastering firewall-cmd: Dynamic Firewall Control on RHEL

Control the system firewall from the command line with `firewall-cmd` and learn practical runtime and permanent rules.

04.06.2026 | reading time: 2 min

Want fast, runtime firewall changes that survive reboots when needed? `firewall-cmd` is the command-line interface to firewalld, the dynamic firewall daemon used on RHEL, CentOS, Fedora and compatibles; it lets the administrator add services, open ports, switch zones, and push both temporary and permanent rules without rebooting.

Practical scenario: allow HTTP now and persist it

Follow these commands to open HTTP on the active public zone now and make it persistent, then verify the zone; the example shows the typical responses and final listing: ```bash sudo firewall-cmd --zone=public --add-service=http success sudo firewall-cmd --zone=public --add-service=http --permanent success sudo firewall-cmd --reload success sudo firewall-cmd --zone=public --list-all public (active) target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client http ssh ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: ```

Advanced levers you will use

Use zones to group interfaces and sources with `--zone=`, prefer `--permanent` for rules that must survive a reload and omit it for runtime testing, and remember `--reload` applies permanent changes; explore `--add-rich-rule` for complex conditions, `--add-forward-port` for NAT, and `--query` or `--list-all` to audit current state.

When firewall-cmd meets other tools

firewalld sits above packet backends so you will encounter `nftables` or legacy `iptables` rules on the same host; use `firewall-config` for a GUI, `nmcli` to manage network interfaces tied to zones, and `ss` or `tcpdump` to validate that the port is actually reachable from the network.

Next steps and certification pathway

Practice real scenarios: block a subnet, apply rich rules, and automate rules in scripts; mastering `firewall-cmd` makes system hardening faster and less error-prone, and those skills pay off when preparing for certifications such as CompTIA Linux+ or LPIC-1 — consider intense exam preparation at bitsandbytes.academy to consolidate command-line proficiency.

Join Bits & Bytes Academy First class LINUX exam preparation.

security network utilities infrastructure troubleshooting