The Fedora firewall GUI lives in a separate package from the Firewalld daemon, so a Workstation system can already have the firewall running without showing a desktop editor. Install Firewalld GUI on Fedora when you want a local app for reviewing zones, checking services, opening ports, and saving rule changes without typing every firewall-cmd option.
The standalone package is firewall-config, and it appears in the desktop menu as Firewall. KDE Plasma users can also install plasma-firewall-firewalld for the Firewall page in System Settings. Both interfaces manage the same local Firewalld service through D-Bus; neither package provides a web dashboard.
Install Firewalld GUI on Fedora
Start with Fedora’s package metadata and the Firewalld daemon state. Fedora Workstation normally includes Firewalld already, but minimal images, custom spins, and previously modified systems can differ.
Update Fedora Before Installing the GUI
Refresh the enabled repositories and apply pending package updates before adding firewall management tools:
sudo dnf upgrade --refreshThese commands use
sudofor package and firewall changes. If your account cannot run sudo yet, use the guide to add a user to sudoers on Fedora before continuing.
Check Firewalld Before Installing the GUI
Check the installed package, service state, boot state, and active zone before you add the GUI:
rpm -q firewalld
systemctl is-active firewalld
systemctl is-enabled firewalld
sudo firewall-cmd --get-active-zonesExample output on Fedora 44 Workstation shows Firewalld installed, running, enabled, and attached to the FedoraWorkstation zone:
firewalld-2.4.0-2.fc44.noarch active enabled FedoraWorkstation (default) interfaces: ens160
If the package is missing or the service is not running, install Firewalld and enable it before launching the GUI:
sudo dnf install firewalld
sudo systemctl enable --now firewalldChoose the Fedora Firewall GUI Package
Use the standalone editor on any desktop. Add the KDE integration only when you actually use Plasma and want the firewall controls inside System Settings.
| Package | Interface | Best Fit | Notes |
|---|---|---|---|
| firewall-config | Standalone app named Firewall | GNOME, KDE, Xfce, Cinnamon, and other desktops | Installs the local GTK editor and depends on the matching Firewalld packages. |
| plasma-firewall-firewalld | KDE System Settings, Network, Firewall | KDE Plasma desktops | Installs the Firewalld backend for Plasma Firewall and may pull KDE Frameworks packages on non-KDE systems. |
Install firewall-config on Fedora
Install the standalone Firewalld GUI from Fedora’s repositories:
sudo dnf install firewall-configVerify the installed RPM package afterward:
rpm -q firewall-configfirewall-config-2.4.0-2.fc44.noarch
The package owns the desktop launcher and the terminal command. This quick check shows the visible menu name and executable path:
grep -E '^(Name|Exec)=' /usr/share/applications/firewall-config.desktopName=Firewall Exec=/usr/bin/firewall-config
For more Fedora package-manager examples, including package searches and installed-state checks, see the DNF5 install command guide for Fedora.
Install the KDE Plasma Firewall Backend
On KDE Plasma, install the Firewalld backend for Plasma Firewall if the Firewall page is missing from System Settings or cannot talk to Firewalld:
sudo dnf install plasma-firewall-firewalldVerify the backend and Plasma Firewall package afterward:
rpm -q plasma-firewall-firewalld plasma-firewallplasma-firewall-firewalld-6.6.4-1.fc44.x86_64 plasma-firewall-6.6.4-1.fc44.x86_64
The backend depends on plasma-firewall and Firewalld. On GNOME or another non-KDE desktop, skip this package unless you intentionally want to install the Plasma Firewall components and their KDE Frameworks dependencies too.
Launch Firewalld GUI on Fedora
The standalone GUI needs a graphical desktop session. Package installability over SSH is not the same as a useful GUI launch path, so open it from the Fedora desktop where you plan to manage the firewall.
Open the Standalone Firewall App
In GNOME, open Activities and search for Firewall. In KDE, Xfce, Cinnamon, or other desktops, open the application menu and search for Firewall or firewall-config.
You can also launch the standalone app from a terminal inside the graphical session:
firewall-configThe application may ask for administrator authentication before it applies privileged firewall changes.
Open the KDE Firewall Settings Page
On KDE Plasma, open System Settings, then go to Network and select Firewall. If that page is missing or shows no Firewalld backend, install plasma-firewall-firewalld from Fedora’s repositories.
Confirm the Zone Before Editing Rules
Firewalld rules apply to zones, not to the GUI as a whole. Before adding services or ports, match the zone selected in the GUI to the zone attached to your active interface:
sudo firewall-cmd --get-active-zones
sudo firewall-cmd --get-default-zoneExample output can look like this on Fedora Workstation:
FedoraWorkstation (default) interfaces: ens160 FedoraWorkstation
The interface name varies by system. Use the active zone that owns the network path you are configuring. Fedora Workstation often uses FedoraWorkstation, while server or minimal installs often use public.
Keep an existing remote session open while changing firewall rules on a machine you access over SSH. Confirm the active zone still allows SSH before closing the working session.
Configure Firewalld GUI Rules on Fedora
The GUI has two configuration views. Runtime changes apply immediately but disappear after reloads or reboots. Permanent changes survive reboots, but you must reload Firewalld to apply them to the running firewall.
Allow Web Server Traffic
Use named services for common protocols such as HTTP and HTTPS. In the GUI, switch Configuration to Permanent, select the zone that owns the server interface, open the Services tab, enable http and https, then reload Firewalld from the Options menu.
For the equivalent command-line verification, replace public with the zone you edited in the GUI:
sudo firewall-cmd --zone=public --query-service=http
sudo firewall-cmd --zone=public --query-service=httpsBoth checks should return yes after you enable the services and reload:
yes yes
If you are preparing a web server, pair the firewall rule with the application setup itself. The Fedora guides to install Nginx on Fedora and install Apache HTTP Server on Fedora cover the service side of that workflow.
Open a Custom Port
Use a port rule when no Firewalld service definition exists for the application. In the GUI, choose the active zone, switch to Permanent configuration, open the Ports tab, add the port number and protocol, then reload Firewalld.
Verify the port in the same zone you edited. This example checks TCP port 8080 in the public zone:
sudo firewall-cmd --zone=public --query-port=8080/tcpyes
FedoraWorkstation includes a broad high-port range in its packaged zone definition. If a high port such as
8080/tcpalready returnsyesbefore you add it, the zone is already allowing that port range. Server-style zones such aspublicare usually narrower.
Use the GUI for Temporary Tests
Runtime mode is useful for short tests because a reload or reboot discards the change. If the rule works and you want to keep it, switch to Permanent and add the same rule there, then reload Firewalld.
If you already tested several runtime rules and want to save the current runtime state, inspect it first:
sudo firewall-cmd --zone=public --list-allWhen the runtime rules are exactly what you want to keep, copy them to permanent storage:
sudo firewall-cmd --runtime-to-permanent
--runtime-to-permanentsaves every current runtime rule, including temporary tests. Review the zone first so you do not preserve a rule you meant to discard.
Update or Remove Firewalld GUI on Fedora
Fedora updates the GUI packages through DNF alongside the rest of the system. Removing a GUI package does not remove the Firewalld daemon or the firewall rules saved under /etc/firewalld/.
Update the Firewalld GUI Packages
Use the normal Fedora upgrade command to update Firewalld, firewall-config, and any KDE firewall components that are installed:
sudo dnf upgrade --refreshAfter an update, confirm the daemon still answers and that the GUI package is still installed:
sudo firewall-cmd --state
rpm -q firewall-configrunning firewall-config-2.4.0-2.fc44.noarch
Remove the Standalone Firewalld GUI
Remove the standalone GUI when you want to keep Firewalld running but manage it through the command line or another interface:
sudo dnf remove firewall-configVerify the GUI package is gone and Firewalld is still active:
rpm -q firewall-config
systemctl is-active firewalld
sudo firewall-cmd --statepackage firewall-config is not installed active running
For deeper command-line management, use the guide to install and manage Firewalld on Fedora.
Remove the KDE Firewall Backend
If you installed the KDE backend and no longer need it, remove that package separately:
sudo dnf remove plasma-firewall-firewalldVerify the backend package is gone afterward:
rpm -q plasma-firewall-firewalldpackage plasma-firewall-firewalld is not installed
This removes the Firewalld backend for Plasma Firewall. The underlying Firewalld daemon and saved rules remain in place unless you remove or change them separately.
Troubleshoot Firewalld GUI on Fedora
Most GUI problems come from one of four causes: the package is missing, Firewalld is stopped, the wrong zone is selected, or the change was made only in Runtime mode.
Firewall App Is Missing from the Menu
If the Firewall launcher does not appear, verify the package first:
rpm -q firewall-configA missing package returns this message:
package firewall-config is not installed
Install the package, then search for Firewall in the desktop menu again:
sudo dnf install firewall-configFirewalld GUI Opens but Cannot Manage Rules
The GUI needs the Firewalld daemon and system D-Bus. Check the service state first:
systemctl is-active firewalld
sudo firewall-cmd --stateA stopped daemon can return:
inactive not running
Start Firewalld and try the GUI again:
sudo systemctl enable --now firewalldConfirm the daemon answers before reopening the GUI:
sudo firewall-cmd --staterunning
If a minimal environment reports a missing D-Bus system socket, start Fedora’s D-Bus broker before restarting Firewalld:
Error: DBUS_ERROR: Failed to connect to socket /run/dbus/system_bus_socket: No such file or directory
sudo systemctl start dbus-broker.service
sudo systemctl restart firewalld
sudo firewall-cmd --staterunning
GUI Changes Do Not Affect the Expected Network
If a service or port looks enabled in the GUI but traffic still fails, confirm that you edited the zone attached to the active network interface:
sudo firewall-cmd --get-active-zones
sudo firewall-cmd --zone=FedoraWorkstation --list-allReplace FedoraWorkstation with the zone shown for your active interface. A rule in public does not help traffic on an interface assigned to FedoraWorkstation, and the reverse is also true.
Rules Disappear After Reboot
Rules that exist only in Runtime mode disappear after reloads and reboots. Compare the runtime and permanent views for the same zone:
sudo firewall-cmd --zone=public --list-all
sudo firewall-cmd --permanent --zone=public --list-allIf the rule appears only in the first output, add it again in Permanent mode through the GUI and reload Firewalld. Use --runtime-to-permanent only after you have reviewed every runtime rule you are about to save.
Reset Firewalld GUI Changes Safely
Reset only the rules you added unless you have a complete backup of the firewall policy. For example, remove the public-zone examples with these commands, but skip any service or port you still need for real traffic:
sudo firewall-cmd --permanent --zone=public --remove-service=http
sudo firewall-cmd --permanent --zone=public --remove-service=https
sudo firewall-cmd --permanent --zone=public --remove-port=8080/tcp
sudo firewall-cmd --reloadThen query the same zone to confirm the example rules are gone:
sudo firewall-cmd --zone=public --query-service=http
sudo firewall-cmd --zone=public --query-service=https
sudo firewall-cmd --zone=public --query-port=8080/tcpno no no
Do not delete
/etc/firewalld/as a shortcut reset on a system you still depend on. That directory can contain custom zones, services, policies, and ipsets that other applications or administrators expect to keep.
Conclusion
Firewall is now available on Fedora as a local Firewalld editor, with the right zone checks in place before you open services or ports. For systems exposed to untrusted networks, pair the GUI workflow with Fail2Ban with Firewalld on Fedora and keep the deeper Firewalld command-line guide for Fedora nearby for custom zones, rich rules, and cleanup.
Formatting tips for your comment
You can use basic HTML to format your comment. Useful tags currently allowed in published comments:
<code>command</code>command<strong>bold</strong><em>italic</em><blockquote>quote</blockquote>