How to Configure Ports on Servers using Firewalld
Firewalld is a dynamic firewall manager for Linux systems, which supports both IPv4 and IPv6. It provides a simple way to configure and manage firewall rules, offering zone-based management.
Checking the Firewalld Status
Before making any changes, check if Firewalld is active:
systemctl status firewalld
If it's inactive, start it with:
systemctl start firewalld
To ensure that Firewalld starts automatically on boot:
systemctl enable firewalld
Opening a Port in Firewalld
To open a port, use the firewall-cmd command.
Example 1: Open Port 80 (HTTP)
To permanently open port 80 for HTTP traffic, use the following command:
firewall-cmd --zone=public --add-port=80/tcp --permanent
Example 2: Open Port 12345 (Custom UDP Port)
To open a custom UDP port, use this command:
firewall-cmd --zone=public --add-port=12345/udp --permanent
Then, reload the firewall to apply the changes:
firewall-cmd --reload
Checking Open Ports
After opening the port, you can verify that it is open by running:
firewall-cmd --list-ports
This will output the list of open ports, for example:
80/tcp 12345/udp
Removing an Open Port
If you want to close a port that was previously opened, use the --remove-port option:
firewall-cmd --zone=public --remove-port=80/tcp --permanent
Reload the firewall after removing the port:
firewall-cmd --reload
Allowing a Service
Instead of manually adding port numbers, Firewalld allows you to allow predefined services by name. For example, to allow the HTTP service:
firewall-cmd --zone=public --add-service=http --permanent
To remove the service:
firewall-cmd --zone=public --remove-service=http --permanent
Checking Active Zones and Services
To view which zones are currently in use and which services are allowed, run:
firewall-cmd --get-active-zones
This will output the active zones, for example:
public
interfaces: eth0
services: dhcpv6-client http
Reloading Firewalld Configuration
Whenever changes are made to the configuration, reload Firewalld to apply them:
firewall-cmd --reload
Setting Default Zone
To change the default zone (which applies to interfaces without a specified zone), use:
firewall-cmd --set-default-zone=public
You can check the current default zone with:
firewall-cmd --get-default-zone
Rich Rules
Rich rules allow more complex configurations, such as allowing traffic from specific IP addresses.
Example: Allowing Traffic from a Specific IP
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.10" accept' --permanent
To remove this rule:
firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" source address="192.168.1.10" accept' --permanent
Listing All Configuration Settings
To view all of the active firewall settings, use:
firewall-cmd --list-all
This will output the full configuration for the current zone:
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client http
ports: 80/tcp 12345/udp
protocols:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
Note: Always reload the firewall (firewall-cmd --reload) after making changes to ensure they are applied
CrownCloud - Get a SSD powered KVM VPS at $4.5/month!
Use the code WELCOME
for 10% off!
1 GB RAM / 25 GB SSD / 1 CPU Core / 1 TB Bandwidth per month
Available Locations: LAX | MIA | ATL | FRA | AMS