How To Open A Port In CentOS 7 With Firewalld
In this tutorial, we will show you how you can open a port in the default firewall in CentOS 7, firewalld.
You will see that while we can manually open a particular port, it is usually easier and more beneficial to allow based on predefined services instead.
Open Specific Port
Opening a port in firewalld is usually straightforward; for instance, we will allow traffic in from any source IP address to TCP port 100. First, we need to edit the persistent configuration; then, we reload firewall-cmd to load this change into the running configuration.
firewall-cmd --permanent --add-port=100/tcp
Since the –permanent flag is not specified, this should only change the running configuration, and it won’t be saved.
We should be able to check the ports that are opened in the current default zone with ‘—list ports’.
As expected, TCP port 100 is open.
If we ever want to remove a port, we can use ‘—remove port=’We could also open a range of ports in the same way:
firewall-cmd --permanent --add-port=200-300/tcp
Open Predefined Service
Rather than having to manually specify a port number to allow through the firewall, we can make use of a bunch of predefined services, which might be simpler. For example, instead of opening TCP port 80, we can use the ‘http’ service.
firewall-cmd --permanent --add-service=http
Now, if we decide to list the services that are accepted through the firewall, we will see http listed along with ssh and dhcpv6-client, which are allowed through by default.
dhcpv6-client http ssh
This is a predefined service, and you can find it as an XML file in the /usr/lib/firewalld/services/ directory. Here’s what the http service we just used looks like:
[[email protected] ~]# cat /usr/lib/firewalld/services/http.xml <?xml version="1.0" encoding="utf-8"?> <service> <short>WWW (HTTP)</short>
We should be able to create custom services by copying one into the /etc/firewalld/services/ directory and then customizing it. The services in the /usr/lib/firewalld/services/ directory will not be modified; changes need to be copied into /etc/firewalld/services/ followed by a reload of firewall-cmd to apply them.
Services Or Manual Ports?
If you’re wondering why you need to use services when you can just specify the port directly, well, modules can be specified in a service. For example, samba.xml loads the module “nf_conntrack_netbios_ns” for us when it’s enabled, along with a few different ports, which is a lot simpler than doing all of this ourselves, as we don’t have to memorize all of the ports required for a service.
Still not a fan of firewalld? Don’t worry, you can always install ifconfig in CentOS 7 instead; however, note that this is considered deprecated.
We learned that the firewall in CentOS 7 can be modified to open a specific port, or more preferably, we can open it to a service.
While these basic examples demonstrate opening a port to any source, this is usually not desirable. We can further filter based on source traffic with firewalld rich rules.