Aerial firefighting plane drops fire retardant

When is it necessary to reload FirewallD configuration?

Have you ever wondered why you have to run “reload” after making some changes to FirewallD configuration?

The following two commands does the same thing; but why is it needed?

firewallctl reload
firewall-cmd --reload

FirewallD has two separate sets of configuration: runtime and permanent. The runtime configuration are the currently active firewall rules loaded in to the kernel. This configuration is stored in memory and will be lost if the firewalld service is restarted. The permanent configuration set consists of the configuration files that are loaded from disk and in to memory when FirewallD is started or when the configuration is reloaded.

Changes to the runtime configuration isn’t saved to the permanent configuration unless you specify the --permanent argument to firewallctl or firewall-cmd commands. However, when you do make permanent configuration changes those changes will not be part of the runtime configuration before you reload it. This is why you’ll see the reload command in nearly all tutorials on FirewallD configuration.

As a rule of thumb, you should reload your FirewallD configuration after using the --permanent argument to make changes to your firewall configuration with either firewallctl or firewall-cmd.

If you make many changes to your configuration without reloading between the changes, you may run in to situations where the current runtime isn’t aware of the other changes you’ve made to the permanent configuration. This can lead to errors where the firewallctl and firewall-cmd commends fail to make changes to the firewall configuration.

E.g. the following will result in an error unless you reload your runtime configuration before issuing the second command:

firewallctl new --permanent zone --name "test"
firewallctl zone "test" add service "ssh"
Error: INVALID_ZONE test

Feature image based on a photo by © 2016 Aaron Barnaby.