How to Restrict Network Access Using FirewallD

As a Linux user, you can opt either to allow or restrict network access to some services or IP addresses using the firewalld firewall which is native to CentOS/RHEL 8 and most RHEL based distributions such as Fedora.

The firewalld firewall uses the firewall-cmd command-line utility to configure firewall rules.

Before we can perform any configurations, let’s first enable the firewalld service using the systemctl utility as shown:

$ sudo systemctl enable firewalld

Once enabled, you can now start firewalld service by executing:

$ sudo systemctl start firewalld

You can verify the status of firewalld by running the command:

$ sudo systemctl status firewalld

The output below confirms that the firewalld service is up and running.

Check Firewalld Status
Check Firewalld Status

Configuring Rules using Firewalld

Now that we have firewalld running, we can go straight to making some configurations. Firewalld allows you to add and block ports, blacklist, as well as whitelist IP, addresses to provide access to the server. Once done with the configurations, always ensure that you reload the firewall for the new rules to take effect.

Adding a TCP/UDP Port

To add a port, say port 443 for HTTPS, use the syntax below. Note that you have to specify whether the port is a TCP or UDP port after the port number:

$ sudo firewall-cmd --add-port=22/tcp --permanent

Similarly, to add a UDP port, specify the UDP option as shown:

$ sudo firewall-cmd --add-port=53/udp --permanent

The --permanent flag ensures that the rules persist even after a reboot.

Blocking a TCP/UDP Port

To block a TCP port, like port 22, run the command.

$ sudo firewall-cmd --remove-port=22/tcp --permanent

Similarly, blocking a UDP port will follow the same syntax:

$ sudo firewall-cmd --remove-port=53/udp --permanent

Allowing a Service

Network services are defined in the /etc/services file. To allow a service such as https, execute the command:

$ sudo firewall-cmd --add-service=https

Blocking a Service

To block a service, for instance, FTP, execute:

$ sudo firewall-cmd --remove-service=https

Whitelisting an IP address

To allow a single IP address across the firewall, execute the command:

$ sudo firewall-cmd --permanent --add-source=

You can also allow a range of IPs or an entire subnet using a CIDR (Classless Inter-Domain Routing) notation. For example to allow an entire subnet in the subnet, execute.

$ sudo firewall-cmd --permanent --add-source=

Removing a Whitelisted IP address

If you wish to remove a whitelisted IP on the firewall, use the --remove-source flag as shown:

$ sudo firewall-cmd --permanent --remove-source=

For the entire subnet, run:

$ sudo firewall-cmd --permanent --remove-source=

Blocking an IP address

So far, we have seen how you can add and remove ports and services as well as whitelisting and removing whitelisted IPs. To block an IP address, ‘rich rules’ are used for this purpose.

For example to block the IP run the command:

$ sudo firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='' reject"

To block the entire subnet, run:

$ sudo firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='' reject"

Saving Firewall Rules

If you have made any changes to the firewall rules, you need to run the command below for the changes to be applied immediately:

$ sudo firewall-cmd --reload

Viewing the Firewall Rules

To have to peek at all the rules in the firewall, execute the command:

$ sudo firewall-cmd --list-all
View Firewalld Rules
View Firewalld Rules

This concludes this guide on how to allow or restrict network access using FirewallD on CentOS/RHEL 8. We hope you found this guide helpful.

Tutorial Feedback...
Was this article helpful? If you don't find this article helpful or found some outdated info, issue or a typo, do post your valuable feedback or suggestions in the comments to help improve this article...

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are thankful for your never ending support.

9 thoughts on “How to Restrict Network Access Using FirewallD”

  1. I have 3 network interfaces and would like to limit tftp to only one of the interfaces. For example, I have networks,, and tftp should only be able to access the server via the 102 networks. Is this possible?

  2. How to reject all connections and allow the only ssh from one certain network?

    $ sudo firewall-cmd --zone=public --add-service=ssh
    $ sudo firewall-cmd --zone=public --add-source=
    $ sudo firewall-cmd --runtime-to-permanent

    Didn’t work, still can ping internets from the VM. Interface is in public zone.

  3. Though I certainly appreciate the walkthrough, there are some glaring mistakes in your command snippets; e.g. – you reference “firewalls” a number of times rather than “firewalld“. Additionally, in the command snippets for allowing a UDP port, it was left as TCP in the command.

    Thanks again for putting this out, but the ones who really need it would benefit greatly from some corrections.

    • @Jordan,

      Thanks for notifying me about those errors. I have corrected the commands in the article as pointed by you…

  4. You need to check the command’s names, you are using firewalls instead firewalld, also, you used tcp in the udp example.

    • @David,

      My bad, yes I must cross-check commands before publishing an article, thanks man, I’ve corrected the commands in the article…


Got something to say? Join the discussion.

Have a question or suggestion? Please leave a comment to start the discussion. Please keep in mind that all comments are moderated and your email address will NOT be published.