Riaan's SysAdmin Blog

My tips, howtos, gotchas, snippets and stuff. Use at your own risk!


FirewallD on Fedora

Somewhere between Fedora 18 and 20 the default firewall switched to FirewallD.  FirewallD is a replacement to the default iptables firewall.  Lots more detail at the links referenced below but in my mind the big advantages are zones and the fact that changes can be made to the running firewall without restart, load, unload and therefore becomes stateful.

This is just a quick reminder for myself to what I did to add a port to the public zone.  I was setting up SPICE for accessing a Windows 7 KVM guest and needed the firewall to allow port 5901.

I will play with the other zones at some point. Ideally I don't want to allow 5901 to the public zone just the internal zone.

Get some information on the FirewallD service.

# systemctl | grep firewall
firewalld.service                                                                                          loaded active running   firewalld - dynamic firewall daemon

# firewall-cmd --state

#  firewall-cmd --get-zones
block dmz drop external home internal public trusted work

#  firewall-cmd --get-services
amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https

#  firewall-cmd --get-default-zone

Add the vnc-server service that covers the ports I am interested in. Add rules also to the permanent profile not just running profile.

# firewall-cmd --zone=public --add-service=vnc-server

# firewall-cmd --permanent --zone=public --add-service=vnc-server

# firewall-cmd --reload

You can also use firewall-config which is a native firewall GUI.
Using nmap to verify the open ports.

More detail here:


Bio Info for Riaan