🟡 Medium   ⏱ 5–30 min  Last verified: 19 May 2026
Affected versions: CentOS Stream 10

📖 ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Inbound traffic is dropped even though firewalld appears active.

Environment & Reproduction

After interface changes or NetworkManager renaming, the interface is in the wrong zone.

firewall-cmd --state
firewall-cmd --get-active-zones

Root Cause Analysis

Default zone or interface assignment does not include the needed services.

Quick Triage

Confirm zones and assigned interfaces.

firewall-cmd --get-default-zone
firewall-cmd --list-all-zones | head -40

Step-by-Step Diagnosis

Trace which zone is handling the inbound interface.

firewall-cmd --get-zone-of-interface=eth0
firewall-cmd --list-all --zone=public
Illustrative mockup for centos-stream-10 — firewalld_zone_bad
firewalld zone mismatch — Illustrative mockup — Progressive Robot

Solution – Primary Fix

Move the interface to the correct zone and add the service.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

firewall-cmd --permanent --zone=public --change-interface=eth0
firewall-cmd --permanent --add-service=https
firewall-cmd --reload
Illustrative mockup for centos-stream-10 — firewalld_zone_fixed
Zone updated — Illustrative mockup — Progressive Robot

Solution – Alternative Approaches

Use rich rules for fine-grained source allowlists.

firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=10.0.0.0/24 service name=ssh accept'
firewall-cmd --reload

Verification & Acceptance Criteria

Service is reachable and listed in the zone.

ss -ltnp
firewall-cmd --list-all

Rollback Plan

Drop the new rules and reload.

firewall-cmd --permanent --remove-service=https
firewall-cmd --reload

Prevention & Hardening

Pin zones in /etc/firewalld and version-control them.

git -C /etc/firewalld init && git -C /etc/firewalld add -A && git -C /etc/firewalld commit -m baseline

Connection refused, no route to host on local LAN.

Related tutorial: View the step-by-step tutorial for centos-stream-10.

View all centos-stream-10 tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

firewalld docs, NetworkManager zone hints.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today — we respond within one business day.