firewalld is the default firewall on Fedora, Server and Workstation alike. It abstracts nftables (and iptables on older releases) behind a zone model that maps cleanly onto the way real networks work: one interface or source belongs to one zone, and each zone has its own list of allowed services, ports, rich rules, and forwarding policy. Once you understand zones, services, and rich rules, every other firewalld setting is a footnote.<\/p>\n\n\n\n
This guide walks the practical firewalld workflow on Fedora: confirming the service is running, picking the right default zone, opening services and ports, writing rich rules for source filtering and rate limiting, and using the firewall-config GUI for a faster visual audit. Every command was executed on a real Fedora install; the output you see in the screenshots is what your terminal will show.<\/p>\n\n\n\n
Tested May 2026<\/strong> on Fedora 44 (kernel 7.0.9-202.fc44, firewalld 2.4.0, nftables 1.1.4). Package availability and firewall-cmd syntax parity verified on Fedora 43 (firewalld 2.3.2) and Fedora 42 (firewalld 2.3.2).<\/em><\/p>\n\n\n\n<\/figure>\n\n\n\n
Confirm firewalld is running<\/h2>\n\n\n\n
Fedora installs and enables firewalld by default. Verify in one shot:<\/p>\n\n\n\n
If you previously ran iptables-services or nftables.service directly, disable them. firewalld is the single source of truth on Fedora and conflicts with manually loaded rules.<\/p>\n\n\n\n
Zones: the firewalld model in one paragraph<\/h2>\n\n\n\n
A zone is a named profile that defines what the firewall does with traffic arriving on an interface or from a source address. Recent Fedora releases ship fifteen built-in zones. The ones you actually use:<\/p>\n\n\n\n
\n
public<\/strong>: default on most Fedora systems. Allows ssh, dhcpv6-client, mdns. Everything else is dropped.<\/li>\n
FedoraServer<\/strong>: default on Fedora Server. Same as public minus mdns, plus cockpit.<\/li>\n
FedoraWorkstation<\/strong>: default on Fedora Workstation. Adds samba-client and KDE Connect range to public.<\/li>\n
trusted<\/strong>: allows everything. Useful for a private VLAN, dangerous on a real interface.<\/li>\n
drop<\/strong>: drops every inbound packet without a reply. Use during incident response.<\/li>\n
block<\/strong>: rejects inbound (sends ICMP unreachable) instead of dropping silently.<\/li>\n
internal<\/strong>, home<\/strong>, work<\/strong>: pre-defined “less restrictive than public” profiles for LAN-trusted contexts.<\/li>\n
dmz<\/strong>: only inbound SSH is allowed; suitable for an exposed bastion.<\/li>\n
external<\/strong>: masquerading is on. Use this on the outbound interface of a router.<\/li>\n
libvirt<\/strong> and libvirt-routed<\/strong>: managed automatically by libvirt for the default virtual network.<\/li>\n
nm-shared<\/strong>: created automatically by NetworkManager when sharing a connection.<\/li>\n<\/ul>\n\n\n\n
Get the current state with three commands:<\/p>\n\n\n\n
On a fresh Workstation install you will see public<\/code> as the default with eth0<\/code> (or whatever NIC name NetworkManager assigned) bound to it. To change the default zone for unbound interfaces:<\/p>\n\n\n\n
Recent Fedora releases ship definitions for nearly 200 services. Use them whenever they exist: they survive port changes upstream and the names are self-documenting in audits. To open HTTP, HTTPS, and Cockpit in the default zone:<\/p>\n\n\n\n
The golden rule: every persistent change uses --permanent<\/code> and is followed by --reload<\/code>. Without --permanent<\/code> the rule is only in the runtime config and disappears on the next restart. The two configurations are intentional: it lets you experiment without writing changes to disk.<\/p>\n\n\n\n
Define a custom service<\/h2>\n\n\n\n
If you frequently open the same set of ports across machines, write a service file once. Save the following as \/etc\/firewalld\/services\/myapp.xml<\/code>:<\/p>\n\n\n\n
<?xml version=\"1.0\" encoding=\"utf-8\"?>\n<service>\n <short>myapp<\/short>\n <description>Custom app on tcp\/8080 and udp\/8081<\/description>\n <port protocol=\"tcp\" port=\"8080\"\/>\n <port protocol=\"udp\" port=\"8081\"\/>\n<\/service><\/code><\/pre>\n\n\n\n
Then reload and use it like any built-in service:<\/p>\n\n\n\n
Rich rules: source filtering, rate limits, and logging<\/h2>\n\n\n\n
Rich rules are firewalld’s expressive layer. They can combine source address, destination, service or port, action, log, and audit, in one rule. The pattern looks dense at first but reads cleanly once you parse it.<\/p>\n\n\n\n
Restrict SSH to one subnet, and rate-limit-and-log every other SSH attempt:<\/p>\n\n\n\n
The output of the commands is shown above.<\/p>\n\n\n\n\n<\/figure>\n\n\n\n
The log entries land in \/var\/log\/messages<\/code> on Fedora, with the prefix you set, so a quick sudo journalctl -k -g ssh-deny<\/code> shows attempted breakins.<\/p>\n\n\n\n
Block an entire country code by combining a CIDR list with rich rules. For example, drop everything from a specific malicious \/24:<\/p>\n\n\n\n
For larger sets, IP sets via --new-ipset<\/code> are dramatically faster than dozens of rich rules. Modern firewalld on Fedora supports both nftables-native and legacy ipset back ends.<\/p>\n\n\n\n
firewall-config: the GUI for visual audits<\/h2>\n\n\n\n
firewall-config is the desktop counterpart to firewall-cmd. It shows every zone, every service binding, and every rich rule in one window, and is by far the fastest way to review a complicated configuration. Install it on a Workstation:<\/p>\n\n\n\n
The header tabs separate Runtime from Permanent. Switch to Permanent<\/strong> first, edit, then Options: Reload Firewalld<\/strong> to apply. Otherwise your changes only land in runtime and disappear on next restart, mirroring the CLI semantics.<\/p>\n\n\n\n
Use the GUI for two things in particular:<\/p>\n\n\n\n
\n
Rich rule visualization<\/strong>. Each rich rule renders as a row with source, service, action, log columns. Far easier than parsing the XML by hand.<\/li>\n
Service definitions<\/strong>. The Services tab lists every service Fedora ships and lets you edit ports without writing XML.<\/li>\n<\/ul>\n\n\n\n
Common Fedora hardening patterns<\/h2>\n\n\n\n
Three short recipes that cover most servers:<\/p>\n\n\n\n
The external<\/code> zone has masquerading enabled by default in its template, so a separate --add-masquerade<\/code> only matters when you want to enable it on a non-external zone.<\/p>\n\n\n\n
Panic mode and emergencies<\/h2>\n\n\n\n
If you suspect a compromise and want to immediately stop accepting any traffic:<\/p>\n\n\n\n
Panic mode drops every packet in and out of the host (including DNS) until you turn it off. If you panic-on over SSH you will lose your session, so use it only from the console or from another machine that already has an established connection.<\/p>\n\n\n\n
Inspect the underlying nftables<\/h2>\n\n\n\n
firewalld is a high-level layer over nftables. If you want to see what the kernel actually has loaded:<\/p>\n\n\n\n
sudo nft list ruleset | head -50\nsudo nft list table inet firewalld | head -30<\/code><\/pre>\n\n\n\n
That is the source of truth. Never edit those rules directly: firewalld will overwrite them on the next reload. Use this view to verify that your high-level firewall-cmd changes resulted in the rules you expected, and to debug “I added a rule but the port is still closed” situations.<\/p>\n\n\n\n
![\"firewall-config](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/05\/wm-fedora-44-firewall-config-services.png\" "\\"\\"")
<\/figure>\n\n\n\n![\"firewalld](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/05\/wm-firewalld-status-fedora-44.png\" "\\"\\"")
<\/figure>\n\n\n\n![\"firewall-cmd](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/05\/wm-firewalld-zones-services-fedora-44.png\" "\\"\\"")
<\/figure>\n\n\n\n![\"firewall-cmd](\"https:\/\/computingforgeeks.com\/wp-content\/uploads\/2026\/05\/wm-firewalld-rich-rules-fedora-44.png\" "\\"\\"")
<\/figure>\n\n\n\n