On RHEL, the firewall is firewalld — a systemd service that wraps nftables. Its mental model is zones: pre-defined trust levels (public, internal, trusted, dmz, etc.) that bundle a set of allowed services and ports. Every interface belongs to exactly one zone, and exactly one zone is the default zone — that's the one used when you don't say --zone=... on a command.
Two-layer state: runtime (what the kernel is enforcing right now) and permanent (what reloads on reboot or --reload). Most commands touch runtime by default; pass --permanent to write to disk. The only way to make a runtime change persist is to also write it to permanent — either by re-running with --permanent, or by --runtime-to-permanent after you've verified the runtime change works.
This topic focuses on the navigation layer: which zone is in charge, what's in it, and how masquerade (NAT) is toggled. For per-service / per-port rules, see Security & Firewall.
Cert