How to set up a firewall using FirewallD on OpenSUSE Linux

I am a new OpenSUSE Linux 15.x sysadmin. How do I set up a firewall using FirwallD on OpenSUSE Linux 15.1 or 15.2 server?

An OpenSUSE Linux firewall used to protect your cloud server or desktop from unwanted traffic. You can set up rules to either block traffic or allow through. OpenSUSE Linux comes with a dynamic, customizable host-based firewall with a D-Bus interface. You can add or delete or update firewall rules without restarting the firewall daemon or service. The firewall-cmd acts as a frontend for the nftables/iptables. This page explains how to set up a firewall for your OpenSUSE Linux and manage with the help of firewall-cmd command-line tool.

How to install FirewallD

Type the following zypper command:
sudo zypper ref
sudo zypper update
sudo zypper install firewalld

How to install FirewallD on OpenSUSE Linux
Enable the firewall at boot time using the systemctl command:
sudo systemctl enable firewalld
Start the firewall on OpenSUSE Linux:
sudo systemctl start firewalld
Get status of your firewall:
sudo systemctl status firewalld
Enable and start Firewalld on OpenSUSE Linux
One can disable and stop firewall as follows:
sudo systemctl disable firewalld
sudo systemctl stop firewalld
sudo systemctl restart firewalld ## want to restart the firewalld? ##

Basic concepts of FirewallD

firewalld simplifies the concepts of network traffic management. You have two main ideas as follows when it comes to firewalld on OpenSUSE Linux.

1. zones

Firewalld zones are nothing but predefined sets of rules. You can see all zones by running the following ls command:
ls -l /usr/lib/firewalld/zones/
Use the cat command to view drop zone:
cat /usr/lib/firewalld/zones/home.xml
cat /usr/lib/firewalld/zones/public.xml

How to list all firewalld zones on OpenSUSE Linux 15.1

Understanding predefined zones

  1. block – All incoming network connections rejected. Only network connections initiated from within the system are possible.
  2. dmz – Classic demilitarized zone (DMZ) zone that provided limited access to your LAN and only allows selected incoming ports.
  3. drop – All incoming network connections dropped, and only outgoing network connections allowed.
  4. external – Useful for router type of connections. You need LAN and WAN interfaces too for masquerading (NAT) to work correctly.
  5. home – Useful for home computers such as laptops and desktops within your LAN where you trust other computers. Allows only selected TCP/IP ports.
  6. internal – For use on internal networks when you mostly trust the other servers or computers on the LAN.
  7. public – You do not trust any other computers and servers on the network. You only allow the required ports and services. For cloud servers or server hosted at your place always use public zone.
  8. trusted – All network connections are accepted. I do not recommend this zone for dedicated servers or VMs connected to WAN.
  9. work – For use at your workplace where you trust your coworkers and other servers.

Run the following command to see all zones on OpenSUSE Linux:
firewall-cmd --get-zones
If you get an error as follows:

FirewallD is not running

Try, the grep command:
grep -i DefaultZone /etc/firewalld/firewalld.conf


So my default zone is public. Let us see config for public zone:
cat /usr/lib/firewalld/zones/public.xml

<?xml version="1.0" encoding="utf-8"?>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>

In short, the OpenSUSE Linux firewall for the public zone will only allow ssh (TCP port 22) and dhcpv6-client when enabled.

How to find out your default zone

One can assign network interface and source to a zone. One of these zones set as the default zone. To get your default zone run:
firewall-cmd --get-default-zone
To see your network interface names run either ip command:
ip link show
When new interface connection added (such as eth0 or ens3) to NetworkManager, they are attached to the default zone. Verify it by running the following command:
firewall-cmd --get-active-zones

2. services

A service is nothing but a list of local ports, protocols, source ports, destinations, and firewall helper modules. Some examples:

  • Port – 22 or 443 or 25 or 110
  • Service – HTTPS, SSH, HTTP
  • Protocols – ICMP

How to see firewall rules or services associated with the public zone

sudo firewall-cmd --list-all
sudo firewall-cmd --list-all --zone=public
Sample outputs:

  target: default
  icmp-block-inversion: no
  services: ssh dhcpv6-client
  masquerade: no
  rich rules:

The above commands indicate that my default zone is public and I am allowing incoming SSH connections (port 22), and dhcpv6-client. All other traffic dropped by default. If I configure Apache or Nginx on OpenSUSE 15.1, I need to open port 80/443 using firewall-cmd. Say you do not want unnecessary services such as dhcpv6-client, you can drop them by modifying rules. For example, remove services dhcpv6-client:
sudo firewall-cmd --remove-service=dhcpv6-client --permanent --zone=public
sudo firewall-cmd --reload
sudo firewall-cmd --list-services

Remove services dhcpv6-client OpenSUSE FirewallD

How to see which services are allowed in the current zone

sudo firewall-cmd --list-services
sudo firewall-cmd --list-services --zone=public
sudo firewall-cmd --list-services --zone=home

One can use bash for loop as follows:

## or just use 'sudo firewall-cmd --list-all-zones' ##
for z in $(firewall-cmd --get-zones)
    echo "Services allowed in $z zone: $(sudo firewall-cmd --list-services --zone=$z)"
Firewalld see which services are allowed in the current and all zones

How to start, stop, restart firewalld service on an OpenSUSE Linux

By now you know about firewalld zones, services, and how to view the defaults.

Start and enable firewalld

sudo systemctl start firewalld
sudo systemctl enable firewalld

Stop and disable firewalld

sudo systemctl stop firewalld
sudo systemctl disable firewalld

Check the firewalld status

sudo firewall-cmd --state

Command to reload a firewalld configuration when you make change to rules

sudo firewall-cmd --reload

Get the status of the firewalld service

sudo systemctl status firewalld
Installing and Managing FirewallD on OpenSUSE Linux

Understanding runtime and permanent firewall rule sets

Runtime firewalld configuration changes are temporary. When you reboot the OpenSUSE Linux server, they are gone. For example, the following will temporarily open TCP port 80/443 (https) for the Nginx/Apache web server:
sudo firewall-cmd --zone=public --add-service=http
sudo firewall-cmd --zone=public --add-service=https

Above rule is not retained when you reboot the Linux box or upon restarting firewalld services itself.

How to add the rule to the permanent set and reload firewalld

Let us add rule (HTTPS/443 and HTTP/80) permanently and reload firewalld:
sudo firewall-cmd --zone=public --add-service=http --permanent
sudo firewall-cmd --zone=public --add-service=https --permanent
sudo firewall-cmd --reload

Verify it:
sudo firewall-cmd --list-services
sudo firewall-cmd --list-services --permanent

Linux Firewalld runtime vs permanent rule set examples

Firewalld runtime vs permanent rule set examples

How to find of list of services supported by firewalld

The syntax is as follows on your OpenSUSE based box:
sudo firewall-cmd --get-services
sudo firewall-cmd --get-services | grep nfs3
ls -l /usr/lib/firewalld/services/
cat /usr/lib/firewalld/services/nfs3.xml

Firewalld get a list of the available services to add or delete from rule sets

Firewalld rule sets examples

Let us see some common examples of firewalld for your default zone.

How to add a service to your zone

Add dns service (TCP/UDP port 53):
sudo firewall-cmd --zone=public --add-service=dns --permanent

How to remove (delete) service from your zone

Delete vnc server service (TCP port range 5900-5903):
sudo firewall-cmd --zone=public --remove-service=vnc-server --permanent

How to allow/open TCP/UDP port/protocol

Open TCP port # 9009:
sudo firewall-cmd --zone=public --add-port=9009/tcp --permanent
To view added ports, run:
sudo firewall-cmd --zone=internal --list-ports

How to deny/block TCP/UDP port/protocol

Open TCP port # 23:
sudo firewall-cmd --zone=public --remove-port=23/tcp --permanent

How to write port forwarding firewalld rule

Forward TCP port 443 to 8080 on the same server:
sudo firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toport=8080 --permanent
To delete above port forwarding, run
sudo firewall-cmd --zone=public --remove-forward-port=port=80:proto=tcp:toport=8080
Turn on masquerading if you need to forward traffic (port 443) to lxd server/container hosted at port 443:
sudo firewall-cmd --zone=public --add-masquerade
sudo firewall-cmd --zone=public --add-forward-port=port=443:proto=tcp:toport=443:toaddr= --permanent

To delete above masquerading rules, run:
sudo firewall-cmd --zone=public --remove-masquerade
firewall-cmd --zone=public --remove-forward-port=port=443:proto=tcp:toport=443:toaddr= --permanent

As usual use the following to list rules:
firewall-cmd --zone=public --list-all --permanent

Rich rule firewalld example

Say you want to allow access to SSH port 22 only from IP address, run:
sudo firewall-cmd --permanent --zone=public --add-rich-rule 'rule family="ipv4" source address="" port port=22 protocol=tcp accept'
To verify new rules, run:
sudo firewall-cmd --list-rich-rules --permanent
In this following example allow sub/net to access tcp port 11211:

sudo firewall-cmd --permanent --zone=public --add-rich-rule='
rule family="ipv4"
source address=""
port protocol="tcp" port="11211" accept'

Again verify it:
sudo firewall-cmd --list-rich-rules --permanent
Sample outputs:

rule family="ipv4" source address="" port port="22" protocol="tcp" accept
rule family="ipv4" source address="" port port="11211" protocol="tcp" accept

You can delete rich rules as follows:
sudo firewall-cmd --remove-rich-rule 'rule family="ipv4" source address="" port port=22 protocol=tcp accept' --permanent
## delete another rule ##
sudo firewall-cmd --remove-rich-rule 'rule family="ipv4" source address="" port port="11211" protocol="tcp" accept' --permanent


You learned the basic concept of firewalld and some common examples for OpenSUSE Linux 15.1 server. For more info see the official firewalld documentation here.

This entry is 3 of 4 in the Linux FirewallD Tutorial series. Keep reading the rest of the series:
  1. RHEL 8 FirewallD
  2. CentOS 8 FirewallD
  3. OpenSUSE 15.1 FirewallD
  4. Enable FirewallD logging for denied packets

🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 3 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersdf ncdu pydf
File Managementcat tree
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
3 comments… add one
  • Gabby Feb 10, 2021 @ 12:15


    Very nice and useful tutorial.

    Thank you and love from Germany.

  • James Feb 13, 2021 @ 19:53

    hank you for this, it is very informative. But I am still confused, as I have just come to openSUSE from Solus, which has a firewall called GUFW. GUFW is extrememly simple to set up, you just take the defaults (select input-deny, output-allow), and that is it. I tried to see if GUFW is available in openSUSE, but could not find it in any repository.
    If I have to use the opeSUSE firewall, firewalld, can you please explain how to set it up for ONE user at home who is connected to the internet via modem to an ISP? Do I stick with the public zone, (I see it is my default) or go with the home zone? WIll I need to add or subtract any services? I use http, https, and (occasionaly) ftp, will I need to add those to the zone? If you could just give a simple example of configuring openSUSE firewalld to make it to the same (or as close to the same) as the defaults of GUFW, I would be very grateful, and I think it would be useful to many others also!! Thank you.

    • 🐧 Vivek Gite Feb 14, 2021 @ 8:49

      Both home and public profile allows all outgoing connection from your OpenSUSE. The home profile allows file sharing for LAN connected host. That is all.

      A graphical user interface available when you type the following command:


Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum