Firewalld uses NFTables by default.

Useful Commands

Reload the firewall (Do this to apply every change before you restart it)

firewall-cmd --reload

Get a list of commands to be used with firewall-cmd:

firewall-cmd --help

List all zones:

firewall-cmd --get-zones

List active zones and their NICs:

firewall-cmd --get-active-zones

Show the default zone:

firewall-cmd --get-default-zone

Show the services firewalld knows about:

firewall-cmd --get-services

List all rules for the public zone:

firewall-cmd --zone=public --list-all

Permit HTTP and HTTPS through the firewall:

firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https

Permit access on port 3306 tcp:

firewall-cmd --permanent --zone=public --add-port=3306/tcp

Permit access to all TCP ports for a single IP:

firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="10.20.4.55" protocol value="tcp" accept"

Permit access to a single port for a single IP:

firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="10.20.4.55" port protocol="tcp" port="3306" accept"

Block a specific IP address:

firewall-cmd --add-rich-rule='rule family=ipv4 source address=192.168.13.110 reject' --permanent

Unblock a specific IP address:

firewall-cmd --remove-rich-rule='rule family=ipv4 source address=192.168.13.110 reject' --permanent

Config File

Firewalld stores its data into an xml config file named after the zone in question. These files are located at:

/etc/firewalld/zones/

The public zone can be found at:

/etc/firewalld/zones/public.xml

Remember to firewall-cmd --reload immediately afterward.