[root@host ~]# firewall-cmd --get-active-zones
[root@host ~]#
[root@host ~]# firewall-cmd --get-default-zone
public
When firewalld shows no active zones despite having a default zone configured (public in this case), it typically means:
- No network interfaces are assigned to any zones
- The default zone isn't being automatically applied
- NetworkManager isn't managing interfaces (if used)
- Firewalld service might need a reload
First, verify your current configuration:
# Check all available zones
firewall-cmd --get-zones
# List all network interfaces
ip a
# See interface-zone assignments
firewall-cmd --list-all-zones
# Check NetworkManager status (if applicable)
systemctl status NetworkManager
Solution 1: Assign Interfaces to Zones
The most common fix is explicitly binding interfaces to zones:
# Permanently assign eth0 to public zone
firewall-cmd --permanent --zone=public --add-interface=eth0
# Reload firewalld
firewall-cmd --reload
# Verify assignment
firewall-cmd --get-active-zones
Solution 2: Temporary Binding (For Testing)
For temporary testing without permanent changes:
# Temporary assignment (won't survive reboot)
firewall-cmd --zone=public --add-interface=eth0
# Immediate verification
firewall-cmd --get-active-zones
Solution 3: NetworkManager Integration
If using NetworkManager, ensure proper integration:
# Check connection profiles
nmcli connection show
# Modify connection to use firewalld zone
nmcli connection modify eth0 connection.zone public
# Restart NetworkManager
systemctl restart NetworkManager
Working with Multiple Interfaces
# Assign different zones to multiple interfaces
firewall-cmd --permanent \
--zone=work --add-interface=eth0 \
--zone=dmz --add-interface=eth1
firewall-cmd --reload
Debugging with Verbose Output
# Check firewalld logs in real-time
journalctl -u firewalld -f
# Alternative: check specific messages
journalctl -u firewalld --since "1 hour ago" | grep -i zone
Remember these key differences:
- Runtime: Takes effect immediately but won't persist
- Permanent: Saved to config files (/etc/firewalld/)
Always test changes in runtime mode first, then make permanent:
# Test temporary change
firewall-cmd --zone=public --add-service=http
# If working, make permanent
firewall-cmd --permanent --zone=public --add-service=http
When working with firewalld on Linux systems, you might encounter a situation where firewall-cmd --get-active-zones returns empty output while firewall-cmd --get-default-zone shows a valid zone (like 'public'). This typically occurs when:
- No network interfaces are assigned to any zone
- The firewall service isn't properly reloaded after configuration changes
- NetworkManager isn't managing the interfaces
First, verify your current interface-to-zone mappings:
# firewall-cmd --list-all-zones
# firewall-cmd --get-active-zones
# ip a
To make zones active, you need to bind network interfaces to them. Here's how to assign an interface (e.g., eth0) to your default zone:
# firewall-cmd --zone=public --add-interface=eth0 --permanent
# firewall-cmd --reload
For NetworkManager-managed systems, you can also use nmcli:
# nmcli connection modify eth0 connection.zone public
# systemctl restart NetworkManager
For temporary testing without permanent changes:
# firewall-cmd --zone=public --change-interface=eth0
# firewall-cmd --get-active-zones
After making changes, verify with:
# firewall-cmd --get-active-zones
public
interfaces: eth0
- Forgetting
--permanentflag makes changes temporary - Not reloading firewalld after permanent changes
- Conflicts between NetworkManager and direct firewalld assignments
If issues persist, check:
# journalctl -u firewalld --no-pager -n 50
# firewall-cmd --state
# systemctl status firewalld