What services does SKYLINE provide?

We provide specialized divisions including: Data Centre Design & Build (Tier III/IV), Cybersecurity SOC/NOC Operations, SCADA & Automation, Fire Safety, Construction, HVAC, AI Solutions, Server Infrastructure with HPE & Dell, and Software Development.

Does SKYLINE design and build data centres?

Yes, we specialize in Tier III and Tier IV data centre design and construction including electrical infrastructure, precision cooling, raised flooring, fire suppression, and Schneider Electric UPS systems. All our projects are SACS-002 compliant and trusted by major clients like Saudi Aramco and SABIC.

Where is SKYLINE located?

Our headquarters is in Dammam, Eastern Province, Saudi Arabia. We serve all regions of Saudi Arabia and GCC countries including Riyadh, Jeddah, Khobar, Dhahran, and Jubail.

What compliance certifications does SKYLINE hold?

We comply with NCA-ECC (Essential Cybersecurity Controls), SACS-002 (Saudi Communications Standards for Data Centres), ISO 27001 (Information Security Management), and SAMA Cybersecurity Framework.

What experience does SKYLINE have in the Saudi market?

SKYLINE was founded in 2019 with 6+ years of experience, has completed 15+ mega projects including the FIFA Club World Cup, and serves 200+ clients including Saudi Aramco, SABIC, Maaden, and STC.

SKYLINE Industrial & IT Solutions

A field-tested, step-by-step guide. How to Configure firewalld Zones on RHEL — prerequisites, the actual commands, verification, and links to related RHEL / Rocky / AlmaLinux topics.

SKYLINE Engineering @skyline

Published: Apr 13, 2026
Last updated: May 28, 2026
Reading time: 3 min

On RHEL 9 / Rocky 9 / Alma 9, firewalld is the default firewall front-end. Unlike UFW's flat rule list, firewalld groups rules into zones that you assign to interfaces — a much cleaner model once you stop fighting it.

Prerequisites

Rocky 9 / Alma 9 / RHEL 9 with sudo.
firewalld installed (default on minimal install).

Step 1: Confirm firewalld is running

sudo systemctl status firewalld --no-pager
sudo firewall-cmd --state           # expect: running
sudo firewall-cmd --get-zones       # built-in zones
sudo firewall-cmd --get-default-zone

The default is usually public. For internet-facing servers, that is correct.

Step 2: List what is in a zone

sudo firewall-cmd --list-all
sudo firewall-cmd --zone=public --list-all

Out of the box public allows the ssh and dhcpv6-client services.

Step 3: Add services and ports

Two ways:

Named service (preferred — readable):

sudo firewall-cmd --permanent --zone=public --add-service=http
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --reload

--permanent writes to disk; without it the change is runtime-only and lost on reload. --reload activates the on-disk config.

Explicit port (when there is no named service):

sudo firewall-cmd --permanent --zone=public --add-port=8080/tcp
sudo firewall-cmd --permanent --zone=public --add-port=30000-30100/tcp
sudo firewall-cmd --reload

Step 4: Source-based rules with rich rules

Allow Postgres from one app server only:

sudo firewall-cmd --permanent --zone=public --add-rich-rule='
  rule family="ipv4"
  source address="10.0.1.20/32"
  port port="5432" protocol="tcp"
  accept'
sudo firewall-cmd --reload

Drop ICMP from a misbehaving subnet:

sudo firewall-cmd --permanent --zone=public --add-rich-rule='
  rule family="ipv4"
  source address="203.0.113.0/24"
  icmp-block name="echo-request"'
sudo firewall-cmd --reload

Step 5: Multiple zones for multi-NIC hosts

A box with two NICs (one public, one private) should pin each to its own zone:

sudo nmcli connection modify ens3 connection.zone public
sudo nmcli connection modify ens4 connection.zone internal
sudo nmcli connection up ens4

Then add management ports only to internal:

sudo firewall-cmd --permanent --zone=internal --add-service=ssh
sudo firewall-cmd --permanent --zone=internal --add-port=9090/tcp
sudo firewall-cmd --reload

Step 6: Remove and inspect

sudo firewall-cmd --permanent --zone=public --remove-service=http
sudo firewall-cmd --reload

# Inspect via direct iptables view
sudo iptables -L INPUT -n -v | head -20
sudo nft list ruleset | head -50

Verify

sudo firewall-cmd --list-all-zones
nmap -Pn -p 22,80,443 your.host.sa

Conclusion

Once you accept the "zone-per-interface" model, firewalld is the cleaner abstraction over nftables than UFW's flat list. Permanent vs runtime is the only footgun — always pair --permanent with --reload.

Next steps

For RHEL family installs see Install Rocky Linux 9.
Debug SELinux blocks with SELinux permissive mode.
For the Ubuntu/Debian counterpart see UFW for specific ports.

SKYLINE Engineering

@skyline

The engineering team at SKYLINE Industrial Solutions. We publish field-tested guides drawn from real KSA and GCC deployments.

See author profile

SKYLINE engineering services

Need this implemented for you?

Reading is free — building it right takes a team. SKYLINE engineers ship RHEL / Rocky / AlmaLinux for Aramco vendors, banks, hospitals and government agencies across Saudi Arabia. Talk to us before you start.

Enterprise Server Supply + AMC Procurement + lifecycle + warranty + L3 support IT AMC Annual maintenance, 24/7 SLA, Bronze→Platinum

Talk to a SKYLINE engineer WhatsApp · +966 50 993 9334 Call +966 50 993 9334

Aramco Approved Contractor ISO 9001 · ISO 27001 SAMA CSF aligned NCA ECC ready 247+ KSA clients

Comments

0 total · 0 threads

Be the first to leave a comment.