Firewalld is Linux firewall management tool with support for IPv4, IPv6, Ethernet bridges and IPSet firewall settings. It acts as a front-end to Linux kernel’s netfilter framework. Firewalld is a default firewall management software on RHEL 7 family.

In this guide, I’ll show you the basic usage of Firewalld on Ubuntu 18.04 and Ubuntu 16.04 Linux distributions.

How to Install Firewalld on Ubuntu 18.04 / Ubuntu 16.04

The default firewall system for Ubuntu is ufw but you can install and use Firewalld if you prefer. Firewalld works fine for me since I’m a heavy CentOS 7 user.

Install Firewalld on Ubuntu 18.04 / Ubuntu 16.04 by running the commands:

sudo apt-get install firewalld

By default, the service should be started, if not running, start and enable it to start on boot:

sudo systemctl enable firewalld
sudo systemctl start firewalld

Confirm that the service is running:

$ sudo firewall-cmd --state

If you have ufw enabled, disable it to make firewalld your default firewall

sudo ufw disable

Using Firewalld on Ubuntu 18.04 / Ubuntu 16.04

Now that the package has been installed and firewalld service started, let’ look at few usage examples

See below examples for the basic usage of firewalld.

1. List all firewall rules configured

# firewall-cmd --list-all
  target: default
  icmp-block-inversion: no
  services: ssh dhcpv6-client
  masquerade: no
  rich rules:

ssh and dhcpv6-client services are enabled by default when you start firewalld service.

2. Get a list of all services that can be enabled using a name

sudo firewall-cmd --get-services

3. Enable http service

sudo firewall-cmd --add-service=http --permanent

The --permanent option means persist rules against server reboots.

4. Enable both http and https on a single line

sudo firewall-cmd --permanent --add-service={http,https} --permanent

5. Enable TCP port 7070

sudo firewall-cmd --add-port=7070/tcp --permanent

6. Enable UDP port 514

sudo firewall-cmd --add-port=514/udp --permanent

7. Create a new zone

sudo firewall-cmd --new-zone=myzone --permanent

8. Enable service on a specific zone

sudo firewall-cmd --zone=myzone --add-port=4567/tcp --permanent

9. Set default zone

sudo firewall-cmd --set-default-zone=public --permanent

10. Add an interface to a zone

sudo firewall-cmd --get-zone-of-interface=eth0 --permanent
sudo firewall-cmd --zone=<zone> --add-interface=eth0 --permanent

11. Allow access to a port from specific subnet/IP

$ sudo firewall-cmd --add-rich-rule 'rule family="ipv4" service name="ssh" \
source address="" accept' --permanent
$ sudo firewall-cmd --add-rich-rule 'rule family="ipv4" service name="ssh" \
source address="" accept' --permanent

12. List rich rules

sudo firewall-cmd --list-rich-rules

13. Configure Port forwarding

# Enable masquerading
$ sudo firewall-cmd --add-masquerade --permanent

# Port forward to a different port within same server ( 22 > 2022)
$ sudo firewall-cmd --add-forward-port=port=22:proto=tcp:toport=2022 --permanent

# Port forward to same port on a different server (local:22 >
$ sudo firewall-cmd --add-forward-port=port=22:proto=tcp:toaddr= --permanent

# Port forward to different port on a different server (local:7071 >
$ sudo firewall-cmd --add-forward-port=port=7071:proto=tcp:toport=9071:toaddr= --permanent

14. Removing port/service

Replace --add with –-remove

For further reading, refer to the Official Firewalld Documentation

Your support is our everlasting motivation,
that cup of coffee is what keeps us going!

As we continue to grow, we would wish to reach and impact more people who visit and take advantage of the guides we have on our blog. This is a big task for us and we are so far extremely grateful for the kind people who have shown amazing support for our work over the time we have been online.

Thank You for your support as we work to give you the best of guides and articles. Click below to buy us a coffee.


Please enter your comment!
Please enter your name here