First we make sure the firewall service is running before going to do any work related to ports.
Use the command to check the firewall service status:
[root@server ~]# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: active (running) since Sun 2017-10-29 08:46:09 IST; 4min 23s ago Docs: man:firewalld(1) Main PID: 523 (firewalld) CGroup: /system.slice/firewalld.service └─523 /usr/bin/python -Es /usr/sbin/firewalld --nofork --... Oct 29 08:46:07 server systemd[1]: Starting firewalld - dynamic fir.... Oct 29 08:46:09 server systemd[1]: Started firewalld - dynamic fire.... Hint: Some lines were ellipsized, use -l to show in full.
Now we came to know that currently firewall is running and will check what are all the zone’s available and in public zone what are all the ports enabled/Listening, using below commands.
Command to check the available zone’s:
[root@server ~]# firewall-cmd --get-zones work drop internal external trusted home dmz public block
Command to check the listening ports in public zone:
[root@server ~]# firewall-cmd --zone=public --list-all public (active) target: default icmp-block-inversion: no interfaces: enp0s8 sources: services: dhcpv6-client mountd nfs rpc-bind ssh ports: protocols: masquerade: no forward-ports: sourceports: icmp-blocks: rich rules:
From the output we came to know that there are none ports enabled. So, will see how to enable a port.
For example i’m going to show you how to enable 8080(TCP Traffic) port.
[root@server ~]# firewall-cmd --zone=public --add-port=8080/tcp --permanent success
–permanent: This is used to make the change permanent after rebooting the system.
–zone=public: We are enabling the port in public zone.
–add-port=8080/tcp: port number which we are going to enable.
We must reload the firewall configuration to make the changes effect in current session. However it will take the effect by next booting.
[root@server ~]# firewall-cmd --reload success
Again will check for the enabled ports status in public zone after this changes.
[root@server ~]# firewall-cmd --zone=public --list-all public (active) target: default icmp-block-inversion: no interfaces: enp0s8 sources: services: dhcpv6-client mountd nfs rpc-bind ssh ports: 8080/tcp protocols: masquerade: no forward-ports: sourceports: icmp-blocks: rich rules:
It shows that 8080 port has been enabled.
I am going to show you how to remove the enabled port in firewall and as i said will reload the firewall configuration to make effect in this session. Then check for the status.
[root@server ~]# firewall-cmd --zone=public --remove-port=8080/tcp --permanent success [root@server ~]# firewall-cmd --reload success [root@server ~]# firewall-cmd --zone=public --list-all public (active) target: default icmp-block-inversion: no interfaces: enp0s8 sources: services: dhcpv6-client mountd nfs rpc-bind ssh ports: protocols: masquerade: no forward-ports: sourceports: icmp-blocks: rich rules:
We can get the list of zones where we have assigned interfaces and sources.
[root@server ~]# firewall-cmd --get-active-zone external interfaces: enp0s3 public interfaces: enp0s8
To get the which zone is associate with a interface. Here i’m taking enp0s3 interface for test.
[root@server ~]# firewall-cmd --get-zone-of-interface=enp0s3 external
Command to get the permanent configuration of a zone. Here i’m taking public zone to test.
[root@server ~]# firewall-cmd --permanent --zone=public --list-all public target: default icmp-block-inversion: no interfaces: sources: services: dhcpv6-client mountd nfs rpc-bind ssh ports: protocols: masquerade: no forward-ports: sourceports: icmp-blocks: rich rules:
Command to get the default zone:
[root@server ~]# firewall-cmd --get-default-zone public
Command to set the default zone:
[root@server ~]# firewall-cmd --set-default-zone=home success