can anyone provide a clear overview of the move to firewalld?

If I try to disable in console I get:

sudo firewall-cmd --zone=public --remove-service=ssh --permanent
Warning: NOT_ENABLED: ssh
asdfg@d:~> sudo firewall-cmd --zone=public --remove-service=dhcpv6-client --permanent
Warning: NOT_ENABLED: dhcpv6-client
asdfg@d:~> sudo firewall-cmd --list-services
ssh dhcpv6-client

Does this make sense at all?

Add ‘–permanent’ to the last command

OK, that gives:

sudo firewall-cmd --list-services --permanent
[sudo] password for root: 

i.e. empty, as intended.

Many thanks for the clarification!

But what is the output of the command without the “–permanent”?

Is this the current status of the firewall?

Here’s what I did, after reading all messages in this thread several times and gnashing teeth over how an unsophistciated user like me could transition to firewalld.

If I missed a step, I hope others will let me know. If I did it right, I hope my steps can help others.

FWIW: I compute with Network Manager, seek only to connect to the internet – web surf, email, ftp – from a single computer, without a network and without the need for remote access. I have the NetworkManager-openvpn package installed, and use a VPN.

sudo systemctl stop SuSEfirewall2
sudo systemctl disable SuSEfirewall2
sudo systemctl enable firewalld
sudo systemctl start firewalld

And then, in Yast:

Firewall → install firewall-config utility
Firewall-config → Configuration → Change from ‘Runtime’ to ‘Permanent’
In default ‘public’ zone, uncheck dhcpv6 and ssh services

Close firewall-config, close Yast, reboot computer to test

sudo firewall-cmd --state
sudo firewall-cmd --list-services


(With no running services listed, such as the unwanted ssh and dhcpv6-client

A firewall test at gave me a ‘thumbs up.’

How’d I do? Did I miss anything?

And, for the benefit of other Tumbleweed users who may read this thread with worry: were these steps even necessary? As a home user without special needs, could I have continued to use already-installed SuSEfirewall2 for months (or years) to come?

sudo firewall-cmd --list-services** --permanent**

… I have no real idea what the output is without the --PERMANENT

Thanks, raspu. I added the –permanent switch to test. Same results.

The runtime configuration relates to the currently active firewall rules loaded in he running firewall. The permanent configuration consists of rules that are loaded from a configuration file and applied when firewalld is started, or when the rules are reloaded. So, after making changes to a permanent configuration, do

firewall-cmd --reload

or they will be applied when the firewalld service is restarted.

Read the guides.

This reads the configuration file for rules that will be applied when firewalld is (re)started…

sudo firewall-cmd --list-services--permanent

Without ‘–permanent’, the current runtime service configuration is shown. Changes to the firewall can be applied immediately (but not persistently) with the runtime configuration, but to be applied persistently, the ‘–permanent’ option is used. This will be used the next time firewalld is started, or just reload the firewall rules to have them applied

sudo firewall-cmd --reload

If you have a DSL router connecting you to the internet, that would usually take care of the firewall for you, and mitigate the need for a firewall anyway. Some users do have unknown/untrusted hosts present on a shared LAN, and so prefer the additional protection from potential attacks within the network. In this case, having no services defined in the firewall will still allow basic internet connectivity, but unwanted traffic will be blocked, including service discovery via broadcasts. This might be a problem if you were trying to for examples, detect a remote printer for configuration, or if you had a samba server configured for sharing files.

With respect to the VPN connectivity:

  1. For PPTP connectivity, connection tracking (built-in to the kernel) takes care of the inbound traffic, so no firewall adjustments should be needed.

  2. For openVPN, UDP port 1194 needs to be open. I think firewalld has the ‘openvpn’ service defined for this.

A few more comments:
When configuring with yast and the connections default to public you have both ethernet and wireles to the same zone and you cannot change one of them. However after changing them from default e.g. to home I could set the other (wireless) interface to external.
Thanks, suse_rasputin you are right - the configuration should be set to permanent (not runtime) from the start.
Now I want to create a blacklist of IP addresses and I understand you could enter them under IPSets but this does not seem clear. It says “An IPSet can be used to create white or black lists and is able to store for example IP addresses…”. When I highlight the wired connection and go to IPSet and click the plus sign, then a box comes up with fields for Name, Version, Short, Description, Timeout, Hashsize and Maselem. I don’t really know what that is about, I only want to create a blacklist. How can I create a blacklist? I normally have IP addresses from Doubleclick,, and other spy, tracking and “advertising” companies in the blacklist.

Here’s a simple guide

If you want to do this graphically with firewall-config, then from the ‘IPSets’ tab, click on the ‘+’ to add an ipset. Let’s call it ‘blacklist’. The only mandatory fields (shown in bold) are ‘Name’, ‘Type’, and ‘Family’. Use ‘hash:ip’ for the type, and ‘inet’ (ie IPv4 addressing) for family. Another ipset will need to be created for IPv6 addresses if applicable eg ‘blacklist6’. Once the ipsets have been created you can then proceed with adding the IP address entries that you wish to blacklist. Then you need to add rich rules to drop matching packets. Navigate to Zones > Rich Rules and add the required, then reload the rules (Optopns > Reload Firewalld).

Similarly, this can be done via CLI using…

firewall-cmd --permanent --add-rich-rule='rule source ipset=blacklist drop' 
firewall-cmd --permanent --add-rich-rule='rule source ipset=blacklist6 drop'

then reload the firewall rules to take effect

firewall-cmd --reload

I have seen that, thanks but I have many IP addresses and it would be very time consuming to enter everyone manually.

Anyway I have

. Navigate to Zones > Rich Rules and add the required, then reload the rules (Optopns > Reload Firewalld).

Again I have no idea what you mean with add the required - see SUSE Paste
Using the name blacklist, etc as you suggested worked well, I could even add the text file with all those IP addresses (no need to copy address by address - very good) but I don’t know what to enter now in this Rich Rules. Am I the only one not understanding this? I really would think a guide to this firwalld (including GUI) would be necessary.
Thank you for the help so far deano-ferrari.

Click on ‘Add’ then in the window that opens, select Family (eg ipv4), Action ‘drop’, Source ‘ipset’ and then click on the adjacent button, choose ‘blacklist’ and ‘OK’, then ‘OK’ to apply. From the main menu… Options > Reload Firewalld.

OK - I started to fill it in see I want these requests dropped without notifications. Do I need something from the Service drop-down list? Of course destination needs to be kept free since I don’t want this.

Thank you very much, deano-ferrari. Now I have to do the same with the IPv6 addresses. But at least I know now how to go about setting these blacklists. For those interested I use the script from to find the IP addresses e.g. from google and related advertising companies. The command ‘ --network “Google”’ [FONT=arial]e.g. creates a text file with the IP addresses of all those advertising companies belonging to Google (e.g. Doubleclick). You can reduce a lot of advertising and tracking by getting the IP addresses from Google, Facebook, Microsoft, etc and just blocking them.


That should be sufficient IMO.

Once the firewall is restarted (or rules reloaded), check what is reported with

sudo firewall-cmd  --list-rich-rules

FWIW, I’m testing with my eth0 interface in external zone, so I need to do

sudo firewall-cmd --zone=external --list-rich-rules

For reference, I get

rule family="ipv4" source ipset="blacklist" drop

…and of course to see the blacklist rule applied as iptables rule…

# iptables -S|grep blacklist
-A IN_external_deny -m set --match-set blacklist src -j DROP
# iptables -L|grep blacklist -B2
Chain IN_external_deny (1 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere             match-set blacklist src

Here is the code from my FW:

**linux-top:~ #** firewall-cmd  --list-rich-rules             
You're performing an operation over default zone ('public'),
but your connections/interfaces are in zone 'home' (see --get-active-zones)
You most likely need to use --zone=home option.

**linux-top:~ #** firewall-cmd --zone=home --list-rich-rules
rule family="ipv4" source ipset="blacklist" drop
**linux-top:~ #**

Ok, that looks as expected if you’re using a connection configured in the ‘home’ zone.