To start the graphical firewall-config tool, press the super key and start typing firewall. The firewall icon will appear. Press enter once it is highlighted. The firewall-config tool appears. You will be prompted for your user password.

To start the graphical firewall configuration tool using the command line, enter the following command as root user:

~]# firewall-config

The Firewall Configuration window opens. Note, this command can be run as normal user but you will then be prompted for the root password from time to time.

Look for the word Connected in the lower left corner. This indicates that the firewall-config tool is connected to the user space daemon, firewalld.

To immediately change the current firewall settings, ensure the current view is set to Runtime Configuration. Alternatively, to edit the settings to be applied at the next system start, or firewall reload, select Permanent Configuration from the drop down list.

You can select zones in the left hand side column. You will notice the zones have some services enabled, you may need to resize the window or scroll to see the full list. You can customize the settings by selecting and deselecting a service except for the zones block, drop, and trusted as those zone settings are classified as immutable, they cannot be changed.

To add or reassign an interface of a connection to zone, start firewall-config, select Options from the menu bar, select Change Zones of Connections from the drop down menu. The Network Connections window appears. Select the connection you wish to add or reassign and select Edit. The Editing a connection window appears. Select the General tab. Select the new firewall zone from the drop down menu and click Save.

To set the default zone that new interfaces will be assigned to, start firewall-config, select Options from the menu bar, select Change Default Zone from the drop down menu. The System Default Zone window appears. Select the zone form the list that you want to be used as the default zone and click OK.

To enable or disable a predefined or custom service, start the firewall-config tool and select the network zone whose services are to be configured. Select the Services tab and select the check box for each type of service you want to trust. Clear the check box to block a service.

To edit a service, start the firewall-config tool and then select Permanent Configuration mode from the drop-down selection menu labeled Current View. An Edit Services button appears on the right hand side of the ICMP Filter tab. Click Edit Services, the Service Settings window appears. Select the service you wish to configure. The Ports and Protocols tab enables adding, changing, and removing of ports and protocols for the selected service. The modules tab is for configuring Netfilter helper modules. The Destination tab enables limiting traffic to a particular destination address and Internet Protocol (IPv4 or IPv6.

To permit traffic through the firewall to a certain port, start the firewall-config tool and select the network zone whose settings you want to change. Select the Ports tab and the click the Add button on the right hand side. The Port and Protocol window opens.

Enter the port number or range of ports to permit. Select tcp or udp from the drop down list.

To translate IPv4 addresses to a single external address, start the firewall-config tool and select the network zone whose addresses are to be translated. Select the Masquerading tab and select the check box to enable the translation of IPv4 addresses to a single address.

To forward inbound network traffic, or packets, for a specific port to an internal address or alternative port, first enable IP address masquerading, then select the Port Forwarding tab.

Select the protocol of the incoming traffic and the port or range of ports on the upper section of the window. The lower section is for setting details about the destination.

To forward traffic to a local port, that is to say to a port on the same system, select the Local forwarding check box. Enter the local port or range of ports for the traffic to be sent to.

To forward traffic to another IPv4 address, select the Forward to another port check box. Enter the destination IP address and port or port range. The default is to send to the same port if the port field is left empty. Click OK to apply the changes.

To enable or disable an ICMP filter, start the firewall-config tool and select the network zone whose messages are to be filtered. Select the ICMP Filter tab and select the check box for each type of ICMP message you want to filter. Clear the check box to disable a filter. This setting is per direction and the default allows everything.

To edit an ICMP filter, start the firewall-config tool and then select Permanent Configuration mode from the drop-down selection menu labeled Current View. An Edit ICMP Types button appears on the right hand side of the ICMP Filter tab.