When transitioning from RHEL6 to RHEL7, many administrators face confusion about firewall rule persistence. Unlike the straightforward service iptables save command in RHEL6, firewalld implements a different approach to rule management.
Firewalld operates with two distinct configuration states:
- Runtime configuration: Immediate changes that will be lost after reboot
- Permanent configuration: Persisted changes that survive reboots
To achieve the equivalent of iptables save, you need to:
# Add your rule (example: open port 8080)
firewall-cmd --add-port=8080/tcp
# Make the change permanent
firewall-cmd --runtime-to-permanent
# Alternative (when adding rules directly):
firewall-cmd --add-port=8080/tcp --permanent
firewall-cmd --reload
Essential firewalld commands for rule persistence:
# View current runtime rules
firewall-cmd --list-all
# View permanent configuration
firewall-cmd --list-all --permanent
# Save runtime to permanent (best practice)
firewall-cmd --runtime-to-permanent
# Alternative approach (direct permanent modification)
firewall-cmd --add-service=http --permanent
firewall-cmd --reload
1. Forgetting --permanent flag: Changes made without it won't persist
2. Missing --reload: Permanent changes need reload to take effect in runtime
3. Direct file editing: Avoid modifying XML files in /etc/firewalld/ directly
If you're coming from iptables and prefer that approach (not recommended for firewalld systems):
systemctl stop firewalld
systemctl mask firewalld
yum install iptables-services
systemctl enable iptables
iptables-save > /etc/sysconfig/iptables
When moving from RHEL6 to RHEL7, one notable change is the replacement of the traditional iptables service with firewalld. In RHEL6, we could easily save iptables rules using:
/sbin/service iptables save
However, in RHEL7 with firewalld, this approach no longer works as expected.
Firewalld handles rule persistence differently than iptables. The key things to know:
- Firewalld stores rules in XML configuration files
- Changes can be made either runtime (temporary) or permanent
- The
--reloadcommand doesn't actually save rules - it just reloads the permanent configuration
To achieve the equivalent of iptables save, you have two main approaches:
1. Using firewall-cmd for Permanent Changes
When adding rules, include the --permanent flag:
firewall-cmd --permanent --add-port=8080/tcp
firewall-cmd --reload
2. Making Runtime Rules Permanent
If you've already added runtime rules and want to save them:
firewall-cmd --runtime-to-permanent
Always verify your rules after saving:
# List permanent rules
firewall-cmd --permanent --list-all
# List runtime rules
firewall-cmd --list-all
- The
--runtime-to-permanentcommand was introduced in firewalld 0.3.0 - For older versions, you'll need to manually recreate rules with
--permanent - Configuration files are stored in
/etc/firewalld/ - After system reboot, only permanent rules will persist
Here's a complete example of adding and saving a rule:
# Add temporary rule
firewall-cmd --add-service=http
# Test the rule works
curl http://localhost
# Make the rule permanent
firewall-cmd --runtime-to-permanent
# Alternative method:
# firewall-cmd --permanent --add-service=http
# firewall-cmd --reload
Remember that unlike iptables, firewalld is zone-based, so you might need to specify zones when working with rules.