How to Install FirewallD GUI on Fedora Linux

Firewalld is a dynamic firewall management tool for Linux systems, providing zone-based network security with support for IPv4 and IPv6. Additionally, the firewall-config GUI simplifies zone management and service configuration through visual controls, making firewall administration accessible even for users who prefer graphical interfaces over command-line tools. Common use cases include configuring web server access (HTTP/HTTPS), setting up SSH restrictions by zone, and managing port forwarding for application hosting.

By the end of this guide, you will have the Firewalld GUI installed on Fedora with the ability to manage network zones, configure service rules, and control port access through an intuitive graphical interface. For comprehensive Firewalld command-line management on Fedora, refer to our base installation guide. This tutorial covers GUI installation for both GNOME and KDE desktop environments, practical configuration examples, and troubleshooting steps.

Install Firewalld

Verify Firewalld Installation

First, open a terminal on Fedora by pressing the Super key and typing “Terminal”, or search for “Terminal” in Activities. Next, check if Firewalld is already installed on your system. While some Fedora installations include Firewalld by default, minimal images and containers often do not. To confirm the installation status, run the following version check command:

sudo firewall-cmd --version

If Firewalld is installed, the terminal displays the version number. This confirms the firewall daemon package is present on your system:

2.3.2

The version number shown (2.3.2 in this example) indicates the specific release installed from Fedora’s repositories. However, if you see a “command not found” error, Firewalld is not installed and you should proceed to the installation step below.

Install Firewalld Package

When Firewalld is not present on your system, install it using the DNF package manager. This command downloads the firewall daemon and its dependencies from Fedora’s official repositories:

sudo dnf install firewalld -y

The -y flag automatically confirms the installation without prompting you for approval, which speeds up the process. Once the installation completes, verify it succeeded by checking the version again:

sudo firewall-cmd --version

2.3.2

Enable Firewalld

After installation, enable Firewalld to start automatically at boot and activate it immediately. The --now flag combines both actions into a single command:

sudo systemctl enable firewalld --now

After enabling the service, verify that Firewalld is configured for automatic startup. This command checks whether systemd will launch the firewall daemon during the boot sequence:

systemctl is-enabled firewalld

enabled

The output “enabled” confirms that Firewalld will start automatically whenever your system boots, ensuring continuous firewall protection without manual intervention.

Verify Firewalld Service Status

Finally, perform a comprehensive status check to confirm that Firewalld is both running in the current session and configured for system startup. This command displays detailed information about the service state:

systemctl status firewalld

The output should show the service as active and enabled:

● firewalld.service - firewalld - dynamic firewall daemon
     Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; preset: enabled)
     Active: active (running) since [date/time]
       Docs: man:firewalld(1)
   Main PID: [pid] (firewalld)
      Tasks: 2 (limit: [limit])
     Memory: [memory]
        CPU: [cpu]
     CGroup: /system.slice/firewalld.service

Look for “active (running)” and “enabled” in the output to confirm Firewalld is protecting your system and will start automatically on reboot. The “Loaded” line shows the service configuration file location, while “Active” indicates the daemon is currently filtering network traffic. The “enabled; preset: enabled” status means Firewalld will launch during future boot cycles, maintaining your security posture across reboots.

Install Firewalld GUI

Install Firewalld GUI

The firewall-config GUI simplifies zone management and service configuration through visual controls, eliminating the need to memorize command-line syntax. To get started, install the graphical interface using DNF:

sudo dnf install firewall-config -y

Once the installation completes, confirm the package is installed on your system. This verification step ensures the GUI application is ready to launch:

dnf list installed firewall-config

Installed Packages
firewall-config.noarch     2.3.2-1.fc43     @updates

The output shows the package version (2.3.2-1.fc43) and the repository source. The @updates notation indicates the package came from Fedora’s updates repository, which provides bug fixes and security patches after the initial release. The noarch designation means this is an architecture-independent package that works on any system architecture. Additionally, you can view more detailed package information including dependencies and description with dnf info firewall-config.

KDE-Specific FirewallD GUI Installation

KDE Plasma users have an additional option designed specifically for their desktop environment. The plasma-firewall-firewalld package integrates directly into KDE System Settings, providing a native look and feel that matches the rest of your desktop. Install it with the following command:

sudo dnf install plasma-firewall-firewalld -y

The plasma-firewall-firewalld package integrates Firewalld management into KDE System Settings under Network → Firewall. KDE users can choose between this native integration or the standalone firewall-config application depending on preference. The native KDE integration offers better visual consistency with your desktop theme and eliminates the need for a separate application window. However, the standalone firewall-config provides more advanced features like detailed logging and rich zone descriptions. Importantly, both tools manage the same underlying Firewalld service, so your configuration remains consistent regardless of which interface you use. You can even install both and switch between them as needed. For users considering alternative desktop environments, see our guide on installing XFCE on Fedora.

Run Firewalld GUI

Launch Firewalld GUI

After installation, launch the Firewalld GUI to begin configuring firewall rules through the graphical interface. The launch method depends on your desktop environment. For GNOME desktop users, follow these steps:

1. Click on ‘Activities’ at the top left corner of your screen.
2. Select ‘Show Applications’ to view all installed applications.
3. Locate and click on ‘Firewall’ to open the Firewalld GUI.

Alternatively, for KDE Plasma users who installed plasma-firewall-firewalld, access the firewall configuration directly through System Settings:

1. Open System Settings from the application menu.
2. Navigate to Network → Firewall.
3. Configure zones and services directly within System Settings.

Understanding the GUI Interface

When you first launch the Firewalld GUI, it opens with the Configuration dropdown set to “Runtime” mode by default. Understanding the difference between Runtime and Permanent configurations is crucial for effective firewall management. Runtime changes take effect immediately but do not persist across reboots, making them useful for temporary testing. In contrast, Permanent configuration changes survive system restarts. Therefore, always switch to “Permanent” configuration when making lasting changes, then reload the firewall to apply them to the running system.

The default view displays the “public” zone, which Firewalld applies to most network interfaces unless you explicitly assign interfaces to different zones. The public zone uses a moderately restrictive default policy suitable for untrusted networks like coffee shops or airports. Below are the key sections available in the interface, each controlling different aspects of firewall behavior:

• Zones: Select and configure different trust levels for network connections
• Services: Enable predefined service rules (HTTP, HTTPS, SSH, etc.)
• Ports: Open specific port numbers for custom applications
• Protocols: Configure ICMP, IPsec, and other protocol rules
• Source Ports: Restrict traffic based on originating port numbers
• Masquerading: Enable NAT for sharing internet connections
• Port Forwarding: Redirect traffic from one port to another

Configure Firewall Rules

Allow Web Server Traffic

One of the most common firewall configuration tasks involves allowing web server traffic. Whether you are hosting websites with Nginx or running local development servers, you need to enable HTTP (port 80) and HTTPS (port 443) services. Follow these steps to allow web server traffic through the firewall:

1. In the Configuration dropdown, select “Permanent” to make persistent changes.
2. Select the “public” zone from the Zones list.
3. Click the “Services” tab.
4. Scroll through the services list and check the boxes next to “http” and “https”.
5. Click Options → Reload Firewalld to apply the changes.

After reloading, the firewall now permits incoming connections on ports 80 (HTTP) and 443 (HTTPS), allowing web browsers to access your server. To confirm these changes took effect, verify the active services from the command line:

sudo firewall-cmd --list-services --zone=public

cockpit dhcpv6-client http https ssh

The output lists all services currently allowed through the firewall. You should see both “http” and “https” in the list, confirming that web server traffic can now reach your system. Each service name corresponds to a predefined port configuration in Firewalld’s service database.

The services listed depend on your existing configuration. For example, a fresh Fedora installation typically shows cockpit dhcpv6-client ssh. After adding HTTP and HTTPS, they appear in the list. The cockpit service provides web-based system management, dhcpv6-client allows automatic IPv6 address configuration, and ssh enables secure remote access.

Open Custom Ports

While Firewalld includes predefined services for common applications, you may need to open custom ports for specialized software or development tools. For instance, if you are running a Docker container on a non-standard port or testing an application during development, you can open specific port numbers manually. Follow these steps to configure custom port access:

1. Ensure “Permanent” configuration is selected.
2. Click the “Ports” tab in the public zone.
3. Click the “Add” button.
4. Enter the port number (e.g., “8080”) and select the protocol (tcp or udp).
5. Click “OK” then reload Firewalld from the Options menu.

After reloading Firewalld, verify the port opened successfully. This command lists all custom ports configured in the public zone:

sudo firewall-cmd --list-ports --zone=public

The command returns the newly opened port with its protocol specification:

8080/tcp

The format “8080/tcp” indicates port 8080 is open for TCP protocol traffic. If you opened multiple ports, they all appear in this list separated by spaces. Applications can now accept connections on this port through the firewall.

Configure Port Forwarding

Port forwarding redirects traffic from one port to another, enabling flexible network configurations without modifying application settings. This proves particularly useful in several scenarios: running development servers as non-root users (who cannot bind to privileged ports below 1024), exposing containerized applications on standard ports, or consolidating multiple services behind a single entry point. For instance, consider a common scenario where you run a Node.js development server on port 8080 but want external users to access it via standard HTTP port 80. Configure port forwarding with these steps:

1. Select “Permanent” configuration and the target zone.
2. Click the “Port Forwarding” tab.
3. Click “Add” to create a new forwarding rule.
4. Enter the source port (e.g., “80”), protocol (tcp), destination port (e.g., “8080”), and optionally a destination IP address for remote forwarding.
5. Click “OK” then reload Firewalld.

After reloading, traffic arriving on port 80 automatically forwards to port 8080 on the local system. Visitors connecting to your server’s IP address on port 80 reach the application listening on port 8080, even though they never specify the higher port number in their browser.

For local port forwarding (redirecting to a service on the same machine), leave the destination IP field blank. Alternatively, you can specify an IP address to forward traffic to another machine on your network, creating a simple reverse proxy setup. This remote forwarding capability proves valuable when load-balancing traffic across multiple backend servers or when separating your firewall system from your application servers for enhanced security.

Troubleshooting Common Issues

Firewalld GUI Won’t Launch

If the Firewalld GUI application icon appears in the menu but won’t open, several factors may be preventing the launch. The most common cause is a stopped or failed firewalld service, which the GUI requires to communicate with the firewall daemon. Additionally, insufficient user permissions can block the GUI from querying firewall status. Ensure your user account has proper sudo privileges by following our guide to add a user to sudoers on Fedora if needed.

To begin troubleshooting, first check whether the firewalld service is running. This diagnostic command shows the current service state:

systemctl status firewalld

If the output shows the service as inactive, failed, or not loaded, start the firewalld service with this command:

sudo systemctl start firewalld

After starting the service, wait a few seconds for the daemon to initialize, then launch the GUI again. The application should now connect to the firewall daemon successfully. However, if the GUI still won’t open after confirming the service runs, verify the firewall-config package is actually installed on your system:

dnf list installed firewall-config

If the command returns “Error: No matching Packages to list”, the firewall-config package is not installed. Reinstall it using the installation commands from the earlier section of this guide.

D-Bus Connection Error

If you see “Failed to connect to socket” or D-Bus errors when running firewall-cmd commands, the D-Bus system service may not be running. Firewalld relies on D-Bus for inter-process communication between the command-line tools, GUI applications, and the firewalld daemon itself. Without an active D-Bus session, these components cannot exchange messages. This issue typically occurs in minimal environments, chroot systems, or containers where D-Bus is not started by default.

The error message looks like this:

Error: DBUS_ERROR: Failed to connect to socket /run/dbus/system_bus_socket: No such file or directory

To resolve this issue, start the D-Bus service first, then start Firewalld. Run both commands in sequence:

sudo systemctl start dbus
sudo systemctl start firewalld

After starting both services, the firewall-cmd commands and GUI should function normally. You can verify D-Bus is running with systemctl status dbus. In production environments, D-Bus typically starts automatically at boot, so this issue rarely affects desktop installations.

Changes Not Persisting After Reboot

If firewall rules disappear after reboot, you likely made changes in “Runtime” mode instead of “Permanent” configuration. This common mistake happens because the GUI defaults to Runtime mode when first launched. As mentioned earlier in the “Understanding the GUI Interface” section, runtime changes are temporary and only affect the currently running firewall. When the system reboots, Firewalld loads rules from the permanent configuration, discarding any runtime-only changes you made.

To make persistent changes that survive reboots, follow these steps in the correct order:

1. First, switch the Configuration dropdown from “Runtime” to “Permanent”.
2. Next, reconfigure your rules in Permanent mode.
3. Finally, click Options → Reload Firewalld to apply permanent rules to the running configuration.

Alternatively, if you already configured rules in Runtime mode and want to save them without reconfiguring, you can copy all runtime rules to permanent configuration from the command line with a single command:

sudo firewall-cmd --runtime-to-permanent

This command snapshots your current runtime configuration and writes it to the permanent configuration files in /etc/firewalld/. The next time you reboot, Firewalld loads these saved rules automatically. However, adopting the habit of working in Permanent mode from the start prevents this issue entirely and ensures you never lose configuration work.

Remove Firewalld GUI

If you prefer command-line firewall management or need to free up system resources, you can remove the GUI packages while keeping the Firewalld service running.

Remove Standard GUI

For those using the standard Firewalld GUI (firewall-config), removing the package is straightforward. The following DNF command uninstalls the graphical interface while leaving the underlying firewalld service intact:

sudo dnf remove firewall-config -y

After removal completes, verify the package is no longer installed on your system. This confirmation step ensures the GUI components are fully removed:

dnf list installed firewall-config

Error: No matching Packages to list

The “Error: No matching Packages to list” message confirms successful removal. Importantly, the Firewalld service continues running in the background with all your configured rules intact—only the GUI application is removed. You can still manage your firewall through command-line tools like firewall-cmd, or you can reinstall the GUI later if needed.

Remove KDE Plasma GUI

Similarly, KDE desktop environment users who installed the KDE-specific version of the Firewalld GUI can uninstall it using the same process. This removes the System Settings integration without affecting the firewalld service:

sudo dnf remove plasma-firewall-firewalld -y

Once the uninstallation completes, confirm the package is removed from your system:

dnf list installed plasma-firewall-firewalld

Error: No matching Packages to list

The error message confirms the KDE integration is removed. The plasma-firewall entry will no longer appear in System Settings under Network. Removing the GUI packages does not affect the underlying Firewalld service or your configured firewall rules. Importantly, all zone configurations, service allowances, and port rules remain intact in /etc/firewalld/. Therefore, you can continue managing Firewalld using the firewall-cmd command-line tool or reinstall either GUI package later if you change your preference.

Conclusion

You now have the Firewalld GUI configured on Fedora to manage zones, services, ports, and forwarding rules through visual controls. As demonstrated throughout this guide, the firewall-config tool simplifies permanent rule creation without memorizing command syntax, while the KDE plasma-firewall integration offers desktop-native management for Plasma users. For enhanced security, consider integrating Fail2ban with Firewalld to block malicious login attempts, adding ClamAV antivirus protection, implementing chkrootkit for rootkit detection, or exploring advanced zone configurations to segment network trust levels.