I can never remember this…

firewall-cmd --list-all-zones

Look to see which is ‘active’. Should be FedoraServer on Fedora Server. Then..

firewall-cmd --zone=FedoraServer --add-port=80/tcp --permanent

Annoyingly, the –permanent means ‘just add to the startup configuration, but don’t do anything now’. If you leave off the –permanent, then it takes effect right away but only affects the running configuration and will be lost after a restart.

Either way, you need two commands – either the –permanent command above, followed by

firewall-cmd --reload

or, and this is probably wiser in case you do something wrong and lock yourself out, you should do the command without –permanent, then check that all works (no –reload will be needed), then add it in again with –permanent so that the rule will be present after a future restart.

So, in summary:

firewall-cmd --zone=FedoraServer --add-port=80/tcp

(check that things are as you want them)

firewall-cmd --zone=FedoraServer --add-port=80/tcp --permanent

for localhost only stuff (e.g. powerdns stats on 127.0.0.1:8081)

firewall-cmd --zone=trusted --add-port=8081/tcp
firewall-cmd --zone=trusted --add-port=8081/tcp --permanent

To remove / undo:

firewall-cmd --zone=FedoraServer --remove-port=80/tcp
firewall-cmd --zone=FedoraServer --remove-port=80/tcp --permanent

For some known services (not sure which.. maybe it just uses /etc/services ?) you can give the service name instead of the port/protocol:

--add-service=http

instead of

--add-port=tcp/80

etc.