🟠 High   ⏱ 5–30 min  Last verified: 19 May 2026
Affected versions: RHEL 10.0 RHEL 10.1

📖 ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Allowed traffic is blocked after reboot because runtime-only firewall rules disappear.

Environment & Reproduction

Administrators add rules without permanent flag during emergency troubleshooting.

firewall-cmd --add-rich-rule='rule family=ipv4 source address=10.10.0.0/16 accept'
reboot

Root Cause Analysis

Rule exists only in runtime layer and is not written to permanent zone configuration.

Quick Triage

Compare runtime and permanent firewalld states.

systemctl status firewalld
firewall-cmd --list-rich-rules
firewall-cmd --permanent --list-rich-rules
getenforce
journalctl -u firewalld -n 60 --no-pager

Step-by-Step Diagnosis

Inspect zone assignments and XML-backed persistent rule files.

firewall-cmd --get-active-zones
firewall-cmd --info-zone=public
ls -l /etc/firewalld/zones
cat /etc/firewalld/zones/public.xml
Illustrative mockup for rhel-10 — firewalld_rule_missing_after_reboot
Rich rule absent after reboot — Illustrative mockup — Progressive Robot

Solution – Primary Fix

Re-add rich rule with permanent flag and reload policy.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

sudo firewall-cmd --permanent --add-rich-rule='rule family=ipv4 source address=10.10.0.0/16 accept'
sudo firewall-cmd --reload
sudo systemctl enable --now firewalld
Illustrative mockup for rhel-10 — firewalld_rule_persistent
Persistent rich rule stored in permanent config — Illustrative mockup — Progressive Robot

Solution – Alternative Approaches

Place source network in dedicated trusted zone if many similar rules are required.

sudo firewall-cmd --permanent --new-zone=trusted-internal
sudo firewall-cmd --permanent --zone=trusted-internal --add-source=10.10.0.0/16
sudo firewall-cmd --reload

Verification & Acceptance Criteria

Rule exists in both runtime and permanent layers and survives reboot.

firewall-cmd --list-rich-rules
firewall-cmd --permanent --list-rich-rules
systemctl reboot

Rollback Plan

Remove rule from permanent config and reload firewalld if access policy changes.

sudo firewall-cmd --permanent --remove-rich-rule='rule family=ipv4 source address=10.10.0.0/16 accept'
sudo firewall-cmd --reload

Prevention & Hardening

Require –permanent for approved change workflows and audit runtime-only changes.

firewall-cmd --runtime-to-permanent
firewall-cmd --list-all

Related to zone mismatch, interface reassignment, and nftables direct rule conflicts.

Related tutorial: View the step-by-step tutorial for rhel-10.

View all rhel-10 tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

firewalld rich language and persistent configuration documentation.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today — we respond within one business day.