Configure firewalld on RHEL 9
firewalld is the default firewall manager on RHEL 9.
Basic concepts
| Concept | Description |
|---|---|
| Zone | Named group of rules (e.g. public, internal, trusted) |
| Service | Named port/protocol group (e.g. http, https, ssh) |
| Rich rule | Fine-grained rule for specific sources/ports |
Step 1 – Check status
systemctl status firewalld
firewall-cmd --stateStep 2 – List current rules
firewall-cmd --list-all
firewall-cmd --list-all-zonesStep 3 – Allow common services
# HTTP and HTTPS
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
# SSH (already enabled by default in most cases)
firewall-cmd --permanent --add-service=ssh
# Custom port
firewall-cmd --permanent --add-port=8080/tcp
# Apply changes
firewall-cmd --reloadStep 4 – Block an IP address
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=10.0.0.5 reject'
firewall-cmd --reloadStep 5 – Allow a port only from a subnet
firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=192.168.1.0/24 port port=3306 protocol=tcp accept'
firewall-cmd --reloadStep 6 – Zones
# Assign an interface to a zone
firewall-cmd --permanent --zone=internal --add-interface=eth1
# Add a service to a specific zone
firewall-cmd --permanent --zone=internal --add-service=mysql
firewall-cmd --reload