This tutorial will guide you through opening a port on the default firewall on CentOS 7, firewalld.
You’ll see that while we can manually open a specific port, it’s often easier and more beneficial to allow it based on predefined services.
Open specific
port
Opening a port in firewalld is quite simple, in the following example we allow traffic from any source IP address to TCP port 100. We first modify the persistent configuration, then reload firewall-cmd to load this change into the running configuration.
[[email protected] ~]# firewall-cmd -permanent -add-port=100/tcp success [[email protected] ~]# firewall-cmd -reload success If the -permanent flag is not
specified, this will only change the running configuration, but it will not be saved
.
We can check the ports that open in the current default zone with ‘-list-ports’.
[[email protected] ~]# firewall-cmd -list-ports 100/tcp
As expected, we see that TCP port 100 is open.
If we want to delete a port, we can use ‘-remove-port=’ instead.
We can also open a range of ports in the same way.
[[email protected] ~]# firewall-cmd -permanent -add-port=200-300/tcp success Open predefined service Instead of manually specifying a port number to allow the firewall through, we can make use of a bunch
of predefined services that can be easier. For example, instead of opening TCP port 80, we can use the ‘http’ service.
[[email protected] ~]# firewall-cmd -permanent –add-service=http success [[email protected] ~]# firewall-cmd -reload success Now, if we list the services that are accepted through the firewall, we will see http listed along with ssh and dhcpv6-client, which are allowed by default. [[email protected] ~]# firewall-cmd -list-services dhcpv6-client http
ssh
This is a predefined service and can be found as an XML file in the /usr/lib/firewalld/services/ directory. This is what the http service we just used looks like.
[[email protected] ~]# cat /usr/lib/firewalld/services/http.xml <?xml version=”1.0″ encoding=”utf-8″?> <service> <short>WWW (HTTP)</short> <description>HTTP is the protocol used to serve web pages. If you plan to make the Web server publicly available, enable this option. This option is not required to view pages locally or develop Web pages.</description> <port protocol=”tcp” port=”80″/> </service>
We can create custom services by copying one of these into the /etc/firewalld/services/ directory and then customizing it. Services in the /usr/lib/firewalld/services/ directory should NOT be modified, changes should be copied to /etc/firewalld/services/ followed by a firewall-cmd reload to collect the changes.
Services or manual ports?
Why would we want to use services if we can only specify the port? Modules can be specified in a service, for example, samba.xml loads the “nf_conntrack_netbios_ns” module for us when enabled, along with four different ports, which is much easier than doing all this ourselves, since we do not need to memorize all the ports needed for a service.
Still not a fan of firewalld? Don’t worry, you can always install ifconfig on CentOS 7 instead, however, keep in mind that this is considered obsolete.
We have
seen that the firewall in CentOS 7 can be modified to open a specific port, or more preferably we can open it
to a service.
While these basic examples demonstrate the opening of a port to any source, this is generally not desirable. We can further filter based on source traffic with firewall-rich rules.