One of the most common things I do on Linux machines is open ports to test software in a development environment. In the past, that meant trying to remember (and Googling) cryptic iptables commands. Now, CentOS 7 and Red Hat 7 include the nicer firewall-cmd tool to configure the firewall.
First, ensure the firewall-cmd service is running:
[root@localhost ~]# systemctl status firewalld firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled) Active: active (running) since Thu 2015-04-09 18:08:33 EDT; 2 months 3 days ago Main PID: 642 (firewalld) CGroup: /system.slice/firewalld.service ??642 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid Apr 09 18:08:33 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon. [root@localhost ~]#
Now, the following command will open port 8080 for TCP traffic, for the current session only:
[root@localhost ~]# firewall-cmd --zone=public --add-port=8080/tcp success
If you want to make the change persist across reboots, you can add the --permanent flag, and then do a --reload
to make the change take effect in the current session.
[root@localhost ~]# firewall-cmd --zone=public --add-port=8080/tcp --permanent success [root@localhost ~]# firewall-cmd --reload success
Now port 8080 should be open. To verify, you can run with --list-all
and look at the list of ports:
[root@localhost ~]# firewall-cmd --zone=public --list-all public (default) interfaces: sources: services: dhcpv6-client ssh ports: 8080/tcp masquerade: no forward-ports: icmp-blocks: rich rules:
If you want to remove port 8080, you would use the --remove-port flag, with the --permanent
flag if you want to persist the change:
[root@localhost ~]# firewall-cmd --zone=public --remove-port=8080/tcp --permanent success [root@localhost ~]# firewall-cmd --reload success
You can use --list-all again to verify that the port has been removed:
[root@localhost ~]# firewall-cmd --zone=public --list-all public (default) interfaces: sources: services: dhcpv6-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules:
This is a very quick introduction to firewall-cmd. There is much more to learn, but this is a quick, basic task that I find myself doing frequently.