You installed a service and the network blocks it
You installed a web server or a file share on your Fedora laptop. You can access it from the browser on the same machine, but your phone on the Wi-Fi cannot connect. You remember Fedora has a firewall, and you recall a graphical tool for managing it. You open the "Firewall Configuration" app, stare at a list of zones, and wonder why "public" does not match your home network. You need to open port 8080, but the interface asks for a "service" or a "port" and you are not sure which one to pick.
The firewall is blocking the connection by design. Fedora enables firewalld by default to protect you from unsolicited traffic. The GUI is the fastest way to adjust the rules without memorizing command-line flags. This guide covers how to use the GNOME Firewall GUI to open ports, manage zones, and persist your changes so they survive a reboot.
How firewalld and the GUI map to reality
The firewall is not a simple on/off switch. It is a set of rules organized by zones. A zone defines the trust level of a network interface. Your home Wi-Fi might be the "home" zone, which allows more services. Your coffee shop Wi-Fi might be the "public" zone, which allows only essential traffic. The GUI lets you edit these rules visually.
Under the hood, the GUI sends D-Bus messages to the firewalld daemon. The daemon updates the kernel rules managed by nftables. The GUI does not store configuration separately. It reads and writes the same files that the command line uses. This means changes made in the GUI are immediately visible to firewall-cmd and vice versa.
The GUI handles two layers of configuration. The runtime configuration is active right now. The permanent configuration is what loads after a reboot. When you add a rule in the GUI, it applies to the runtime instantly. You must click the "Apply" button to write the rule to the permanent configuration. If you close the GUI without clicking "Apply", the rule vanishes on reboot.
Configure the firewall with the GUI
Launch the application. You can find it in the application menu under "Firewall Configuration". If you prefer the terminal, run the command below. The application requires administrative privileges to modify rules. On a default Fedora Workstation install, the polkit agent will prompt you for your password when you attempt to make changes.
sudo firewall-config-gui
# WHY: Launches the graphical configuration tool.
# The sudo prefix ensures the process has the necessary capabilities to query and modify the firewall daemon.
# Without root privileges, the GUI may open but refuse to apply changes.
Once the window opens, check the "Firewall" toggle at the top. If it is off, the firewall is inactive. Toggle it on. The system will immediately apply the default rules. Fedora enables the firewall by default. If you see it off, something disabled it previously. Turn it back on.
Select a zone from the left panel. The zone determines which network interface the rules apply to. The "public" zone is the default for most interfaces. It allows only SSH and DHCPv6 by default. If you are at home, you might want to use the "home" zone, which allows more services like Samba and mDNS. The GUI shows the current zone assignment for each interface. You can change the zone by clicking the interface name and selecting a new zone from the dropdown.
Check the zone assignment first. Rules in the wrong zone are invisible.
To allow a new service, click the "Services" tab within the zone view. Click "Add Service". A list of predefined services appears. These are XML files in /usr/lib/firewalld/services/. Select the service you need, such as "http" or "ssh". Click "OK". The service now appears in the list. The rule is added to the runtime configuration immediately.
Services are more robust than raw ports. A service definition maps a name to one or more ports and protocols. The "http" service covers port 80/tcp. The "https" service covers port 443/tcp. Some services cover multiple ports. The "mysql" service might include port 3306/tcp and 33060/tcp for xprotocol. When you add a service, you rely on the definition file. If the upstream package updates the service definition to include a new port, your firewall rule automatically covers the new port. When you add a raw port, you lock in that number. If the application changes its port, your rule breaks. Prefer services whenever a definition exists.
To add a specific port, click the "Ports" tab. Click "Add Port". Enter the port number and protocol. For example, "8080/tcp". Click "OK". This is useful when no predefined service exists for your application.
Click the "Apply" button in the toolbar. This step is critical. Changes made in the GUI are applied to the runtime configuration as you click them. The "Apply" button writes the changes to the permanent configuration. Without clicking "Apply", your rules will vanish after a reboot. The button saves the state to /etc/firewalld/.
Reboot to test persistence. If the rule is gone, you forgot Apply.
The GUI also manages ICMP blocks. Internet Control Message Protocol handles things like ping. By default, most zones allow ping. If you want to hide your machine from simple network scans, you can block ICMP echo requests. Go to the "ICMP Blocks" tab and add "echo-request". This stops ping replies without breaking other network functions.
Masquerading is the firewall's way of doing NAT. If your Fedora machine acts as a router, masquerading allows devices on the internal network to share the external connection. Enable masquerading in the zone settings. This rewrites the source address of outgoing packets. The GUI makes this a simple checkbox.
Verify the rules
Run the command below to dump the active configuration. This confirms that the GUI changes took effect and shows exactly what the kernel is enforcing.
sudo firewall-cmd --list-all
# WHY: Dumps the complete configuration of the default zone.
# This shows active services, ports, and sources, confirming the GUI changes took effect.
# If you edited a non-default zone, add --zone=<name> to target that zone.
Look for your service or port in the output. If it is there, the rule is active. If you see the rule in the GUI but not in the output, the zone assignment is wrong. The interface is likely in a different zone than the one you edited.
Run journalctl -xeu firewalld if the service fails to start or rules do not apply. The journal shows D-Bus errors, permission denials, or conflicts with other network tools.
Run journalctl first. Read the actual error before guessing.
Common pitfalls and error patterns
The most common mistake is editing the wrong zone. You add a rule to the "home" zone, but your Wi-Fi interface is assigned to "public". The rule does nothing. Check the "Interfaces" tab to see which zone is active for your connection. NetworkManager can change the zone automatically when you switch networks. If you move from home to a cafe, the zone might switch to "public". Your "home" rules will not apply.
Another pitfall is forgetting the "Apply" button. You add a port, test it, and it works. You reboot. The port is closed. The GUI applies changes to the running system instantly. The "Apply" button persists them. If you close the GUI without clicking "Apply", the changes are lost.
Sometimes the GUI shows "Firewall is not running" even when it is. This happens if the firewalld service crashed or if another firewall backend is active. Run the status command to check.
sudo systemctl status firewalld
# WHY: Checks the health of the firewall daemon.
# If the service is inactive, the GUI cannot communicate with the backend.
# A failed state usually indicates a configuration error in /etc/firewalld/.
If the service is dead, restart it. If it fails to start, check the journal for syntax errors in custom XML files. The GUI can create malformed files if you edit them manually outside the tool.
Trust the package manager. Manual file edits drift, snapshots stay.
The GUI writes changes to /etc/firewalld/. Never edit files in /usr/lib/firewalld/. Those files ship with the package. If you modify them, an update will overwrite your changes. Always work in /etc/. The GUI respects this boundary automatically.
When to use the GUI versus the command line
Use the GNOME Firewall GUI when you prefer a visual interface to manage zones and services on a desktop system. Use firewall-cmd in the terminal when you are scripting firewall changes or working on a headless server. Use the CLI when you need to reload the firewall without dropping connections, as the GUI always reloads on apply. Use nftables directly only when you need performance tuning or rules that firewalld cannot express. Stay with firewalld for standard Fedora deployments. It integrates with NetworkManager and handles dynamic interface changes automatically.