How to Configure Ports on Servers using Firewalld

Firewalld is a dynamic firewall manager for Linux systems, which supports both IPv4 and IPv6. It provides a simple way to configure and manage firewall rules, offering zone-based management.

Checking the Firewalld Status

Before making any changes, check if Firewalld is active:

systemctl status firewalld

If it's inactive, start it with:

systemctl start firewalld

To ensure that Firewalld starts automatically on boot:

systemctl enable firewalld

Opening a Port in Firewalld

To open a port, use the firewall-cmd command.

Example 1: Open Port 80 (HTTP)

To permanently open port 80 for HTTP traffic, use the following command:

firewall-cmd --zone=public --add-port=80/tcp --permanent

Example 2: Open Port 12345 (Custom UDP Port)

To open a custom UDP port, use this command:

firewall-cmd --zone=public --add-port=12345/udp --permanent

Then, reload the firewall to apply the changes:

firewall-cmd --reload

Checking Open Ports

After opening the port, you can verify that it is open by running:

firewall-cmd --list-ports

This will output the list of open ports, for example:

80/tcp 12345/udp

Removing an Open Port

If you want to close a port that was previously opened, use the --remove-port option:

firewall-cmd --zone=public --remove-port=80/tcp --permanent

Reload the firewall after removing the port:

firewall-cmd --reload

Allowing a Service

Instead of manually adding port numbers, Firewalld allows you to allow predefined services by name. For example, to allow the HTTP service:

firewall-cmd --zone=public --add-service=http --permanent

To remove the service:

firewall-cmd --zone=public --remove-service=http --permanent

Checking Active Zones and Services

To view which zones are currently in use and which services are allowed, run:

firewall-cmd --get-active-zones

This will output the active zones, for example:

public
  interfaces: eth0
  services: dhcpv6-client http

Reloading Firewalld Configuration

Whenever changes are made to the configuration, reload Firewalld to apply them:

firewall-cmd --reload

Setting Default Zone

To change the default zone (which applies to interfaces without a specified zone), use:

firewall-cmd --set-default-zone=public

You can check the current default zone with:

firewall-cmd --get-default-zone

Rich Rules

Rich rules allow more complex configurations, such as allowing traffic from specific IP addresses.

Example: Allowing Traffic from a Specific IP

firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.10" accept' --permanent

To remove this rule:

firewall-cmd --zone=public --remove-rich-rule='rule family="ipv4" source address="192.168.1.10" accept' --permanent

Listing All Configuration Settings

To view all of the active firewall settings, use:

firewall-cmd --list-all

This will output the full configuration for the current zone:

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: dhcpv6-client http
  ports: 80/tcp 12345/udp
  protocols:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

Note: Always reload the firewall (firewall-cmd --reload) after making changes to ensure they are applied


CrownCloud - Get a SSD powered KVM VPS at $4.5/month!
Use the code WELCOME for 10% off!

1 GB RAM / 25 GB SSD / 1 CPU Core / 1 TB Bandwidth per month

Available Locations: LAX | MIA | ATL | FRA | AMS