🟑 Medium   ⏱ 5–30 min  Last verified: 19 May 2026
Affected versions: RHEL 10

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Allowed traffic is blocked after `firewall-cmd –reload` because rich rules were added only to runtime state.

Environment & Reproduction

Occurs when operational changes are applied quickly without `–permanent`.

firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.10.10.0/24 port port=8443 protocol=tcp accept'
firewall-cmd --reload
firewall-cmd --list-rich-rules

Root Cause Analysis

Runtime and permanent configurations diverge; reload reconstructs runtime from permanent files.

Quick Triage

Check both states quickly.

firewall-cmd --list-all
firewall-cmd --permanent --list-all
systemctl status firewalld

Step-by-Step Diagnosis

Find zone assignment and persistence mismatch.

firewall-cmd --get-active-zones
firewall-cmd --zone=public --list-rich-rules
firewall-cmd --permanent --zone=public --list-rich-rules
Illustrative mockup for rhel-10 β€” terminal_or_shell
Comparing runtime and permanent firewalld rules β€” Illustrative mockup β€” Progressive Robot

Solution – Primary Fix

Recreate rule in permanent config and reload.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family=ipv4 source address=10.10.10.0/24 port port=8443 protocol=tcp accept'
sudo firewall-cmd --reload
sudo firewall-cmd --zone=public --list-rich-rules
Illustrative mockup for rhel-10 β€” log_or_config
Saving permanent rich rules correctly β€” Illustrative mockup β€” Progressive Robot

Solution – Alternative Approaches

Use direct rules or dedicated service definitions for repeatable deployments.

sudo firewall-cmd --permanent --new-service=myapp
sudo firewall-cmd --permanent --service=myapp --add-port=8443/tcp
sudo firewall-cmd --permanent --add-service=myapp

Verification & Acceptance Criteria

Rule remains after daemon reload and reboot.

firewall-cmd --reload
firewall-cmd --zone=public --list-rich-rules
systemctl reboot

Rollback Plan

Remove incorrect rules if access control becomes too broad.

sudo firewall-cmd --permanent --zone=public --remove-rich-rule='rule family=ipv4 source address=10.10.10.0/24 port port=8443 protocol=tcp accept'
sudo firewall-cmd --reload

Prevention & Hardening

Enforce firewall changes through IaC and audit rule drift regularly.

firewall-cmd --runtime-to-permanent
firewall-cmd --permanent --list-all > /var/tmp/firewalld-baseline.txt

Related to wrong zone bindings, nftables direct-rule conflicts, and SELinux port labeling errors.

Related tutorial: View the step-by-step tutorial for rhel-10.

View all rhel-10 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Firewalld rich rule syntax and RHEL network security administration documentation.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.