What is firewallD?

FirewallD is a dynamic firewall provided with CentOS 7, Red Hat 7, and Oracle Linux 7. FirewallD interacts with Netfilter, a filtering network framework located inside the Linux kernel. Netfilter allows the kernel to inspect every packet throughout the system, allowing the system to read, stop, drop, modify, or reject packages.

FirewallD supports IPv4 and IPv6. It also uses the iptables tool to talk to the kernel packet filter (Netfilter). However, FirewallD is different from iptables. It is dynamic and allows the implementation of new rules without the need to reload the service. Because FirewallD runs as a service, we can start, stop, and enabled it with  systemctl .

Additionally, the FirewallD daemon is managed by systemd using the firewalld.service unit. It is started before networking so that it can immediately protect the network when the network service starts up.

Configuration: Runtime vs Permanent

Runtime: firewalld configurations or changes lives in the system until the next time the system reboots or the firewalld service is reloaded. Meaning that the configuration is not permanent.

Permanent: Configurations or changes that are persistent. Meaning that the configuration is not lost when firewalld is restarted or the system is rebooted.


Zones define different levels of trust for a network connection. We may trust traffic from the internal zone more than the traffic from the public zone. We can configure a rule for a zone, a port, or a service like httpd.

Zones and Their Function
  • drop: Drop incoming traffic with no reply. Allow outgoing traffic.
  • block: Deny incoming connections with reply message of icmp-host-prohibited. Allow outgoing connections.
  • public: Accepts traffic from any zone based on firewall rules. This is the default zone and by default accepts ssh, mdns, and dhcpv6-client.
  • external: Use on external networks with masquerading enabled and accept selected incoming connections.
  • dmz: Use on systems in the DMZ that are publicly available with limited access to the internal network.
  • work: Use on work area where there is trust between workstations, and servers.
  • home: Use on home area where there is trust between workstations, and servers. Home rejects all incoming connections unless it is in response or related to outgoing traffic.
  • internal: Use on internal network where there is trust between workstations, and servers.
  • trusted: Accepts all connections and completely trust other systems not to harm the local system.


FirewallD is a dynamic service that interacts with the network filtering framework Netfilter. FirewallD does not need a reload after every change since it accepts changes while it is running. Lastly, FirewallD is a service, and it can be started, stop, restarted, or enable with systemctl