1. All commands need to be run as root

# su -

Or use sudo to perform the action.
$ sudo firewall-cmd {actions}

2. To control the firewalld service

# systemctl disable firewalld

# systemctl stop firewalld

# systemctl restart firewalld.service

# systemctl status firewalld

Note! When allowing or removing services and ports, alway restart the firewall service after!


3. Get the default zone

# firewall-cmd --get-active-zones

4. List services on that zone

# firewall-cmd --zone=public --list-all
# firewall-cmd --zone=work --list-all

Note! Any rules in the public zone will always be active, regardless of what zone is actually active.


5. Add a TCP and UDP ports

# firewall-cmd --permanent --zone=public --add-port=80/tcp
# firewall-cmd --permanent --zone=public --add-port=123/udp


6. Add specific IP's or IP-ranges

Get info:
# firewall-cmd --permanent --zone=work --list-sources

Add a range: # firewall-cmd --permanent --zone=work --add-source=

Add a specific IP:
# firewall-cmd --permanent --zone=work --add-source=


7. Add specific ports or port-ranges

Add a port:
# firewall-cmd --permanent --zone=work --add-port=2812/tcp

Add a port range using tcp to the work zone:
# firewall-cmd --permanent --zone=work --add-port=1-64999/tcp

Add a port range using udp to the work zone # firewall-cmd --permanent --zone=work --add-port=1-64999/udp

Restart firewalld daemon to activate changes: # systemctl restart firewalld.service
# firewall-cmd --reload

Confirm changes: # firewall-cmd --get-active-zones # firewall-cmd --permanent --zone=work --list-sources

# firewall-cmd --list-sources

8. Add and remove a service

# firewall-cmd --permanent --zone=public --add-service=http
# firewall-cmd --permanent --zone=public --add-service=nfs

# firewall-cmd --permanent --zone=public --remove-service=http
# firewall-cmd --permanent --zone=public --remove-service=nfs

9. Add source, then a service or port from that source

Add specific IP-source to public zone:
# firewall-cmd --permanent --zone=public --add-source=

Add service:
# firewall-cmd --permanent --zone=public --add-service=rsync

Add port to public zone:
# firewall-cmd --permanent --zone=public --add-port=5000/tcp

Add port-range to public zone:
# firewall-cmd --permanent --zone=public --add-port=10000-10005/tcp
Note! When allowing or removing services and ports, alway restart the firewall service after!

10. Remove a source, service or port

A specific IP:
# firewall-cmd --permanent --zone=public --remove-source=

A range:
# firewall-cmd --permanent --zone=public --remove-source=

A source:
# firewall-cmd --permanent --zone=public --remove-service=rsync

A port:
# firewall-cmd --permanent --zone=public --remove-port=2812

A port range:
# firewall-cmd --permanent --zone=public --remove-port=10000-10005

11. Sources