Firewalld - firewall-cmd - allow or deny a service

If you are not familar with firewalld and the firewall-cmd, check out our Getting Started article.

The --add-service option can be used to allow connections to a certain service, such as SMTP.

firewall-cmd --add-service=smtp --permanent
firewall-cmd --reload


The --remove-service option can be used to remove an allows service.

firewall-cmd --remove-service=smtp --permanent
firewall-cmd --reload


Each service has an XML file located at /usr/lib/firewalld/services which contains the port and protocol being used by the service. For example, the ssh.xml file is using port 22 and the TCP protocol.

<?xml version="1.0" encoding="utf-8"?>
  <port protocol="tcp" port="22"/>


The --check-config command can be used to ensure there are no configuration errors.

~]$ firewall-cmd --check-config


The --list-services option can be used to display the services that are allowed in a zone.

~]# firewall-cmd --zone public --list-services


Or, the --list-all option can be used.

~]# firewall-cmd --list-all
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  services: smtp
  masquerade: no
  rich rules:


Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee

Add a Comment

We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.

Please enter 74e4e in the box below so that we can be sure you are a human.