How To Open A Port In CentOS 7 With Firewalld

This tutorial will walk you through opening a port in the default firewall in CentOS 7, firewalld.

You will see that while we can manually open a specific port, it is often easier and beneficial to allow based on predefined services instead.




Open Specific Port

Opening a port in firewalld is fairly straightforward, in the below example we allow traffic in from any source IP address to TCP port 100. First we modify the persistent configuration, then we reload firewall-cmd to load this change into the running configuration.

[root@centos7 ~]# firewall-cmd --permanent --add-port=100/tcp
success
[root@centos7 ~]# firewall-cmd --reload
success

If the --permanent flag is not specified, this will only change the running configuration but will not be saved.

We can check the ports that are opened in the current default zone with ‘--list-ports’.

[root@centos7 ~]# firewall-cmd --list-ports
100/tcp

As expected we see that TCP port 100 is open.

Should we wish to remove a port, we can use ‘--remove-port=’ instead.

We can also open a range of ports in the same way.

[root@centos7 ~]# firewall-cmd --permanent --add-port=200-300/tcp
success

Open Predefined Service

Rather than manually specifying a port number to allow through the firewall, we can make use of a bunch of predefined services which may be easier. For example instead of opening TCP port 80, we can use the ‘http’ service.

[root@centos7 ~]# firewall-cmd --permanent --add-service=http
success
[root@centos7 ~]# firewall-cmd --reload
success

Now if we list the services that are accepted through the firewall, we will see http listed along with ssh and dhcpv6-client, which are allowed through by default.

[root@centos7 ~]# firewall-cmd --list-services
dhcpv6-client http ssh

This is a predefined service and can be found as an XML file in the /usr/lib/firewalld/services/ directory. Here’s what the http service we just used looks like.

[root@centos7 ~]# cat /usr/lib/firewalld/services/http.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>WWW (HTTP)</short>
  <description>HTTP is the protocol used to serve Web pages. If you plan to make your Web server publicly available, enable this option. This option is not required for viewing pages locally or developing Web pages.</description>
  <port protocol="tcp" port="80"/>
</service>

We can create custom services by copying one of these into the /etc/firewalld/services/ directory and then customizing it. The services in the /usr/lib/firewalld/services/ directory should NOT be modified, changes should be copied into /etc/firewalld/services/ followed by a reload of firewall-cmd to pick up the changes.

Services Or Manual Ports?

Why would we want to use services if we can just specify the port? Modules can be specified in a service, for example samba.xml loads the module “nf_conntrack_netbios_ns” for us when it’s enabled, along with four different ports which is a lot easier than doing all of this ourselves as we don’t need to memorize all of the ports required for a service.

Still not a fan of firewalld? Don’t worry, you can always install ifconfig in CentOS 7 instead, however note that this is considered deprecated.


Summary

We have seen that the firewall in CentOS 7 can be modified to open a specific port, or more preferably we can open it to a service.

While these basic examples demonstrate opening a port to any source, this is usually not desirable. We can further filter based on source traffic with firewalld rich rules.

Leave a comment ?

15 Comments.

  1. Very useful. Tks

  2. Great article. Thank you!

  3. Helped a lot! Thanks.

  4. To add a http service worked for me this one:

    firewall-cmd –permanent –zone=public –add-service=http

    Thanks for the post

  5. helped a lot!!!thx!

  6. how to open firewall ports and create permanent service like this.

    [root@centos7 ~]# firewall-cmd –permanent –add-service=http
    success
    [root@centos7 ~]# firewall-cmd –reload
    success

  7. Very useful. Thank you very much for sharing

  8. i have successfully open the port but unable check telnet

    any idea ??

    • Something between them is blocking the connection, perhaps some other firewall on the network, assuming the port is opened correctly. You could temporarily stop the software firewall service to confirm.

    • I’m having a similar issue. I have Graylog installed on a CentOS 7 server. I opened tcp/514 (to test with telnet) and udp/514 (for syslog traffic). I am unable to telnet to this IP using 514. Both hosts are on the same subnet so there are no other firewalls affecting this traffic. I disabled my Windows AV and firewall.
      [root@Graylog ~]# firewall-cmd –list-ports
      9000/tcp 514/udp 514/tcp
      This is very odd behavior.

  9. Hello,

    Can you please let me know how can I open port 25 (SMTP) using this method?

    I tried but looks like it’s not working.

    Thanks

  10. If you disable the firewall;
    systemctl stop firewalld
    run nmap on a windows machine to your server, it will show you the ports & services that are open. Use this to compare with /etc/services then add the udp & tcp ports accordingly.

    Discovered open port 445/tcp on 192.168.1.1 (https)
    Discovered open port 139/tcp on 192.168.1.1 (Samba)
    Discovered open port 111/tcp on 192.168.1.1 (Samba)
    Discovered open port 22/tcp on 192.168.1.1 (SSH)

    To add: ssh, http, https and samba access;
    firewall-cmd –permanent –add-port=ssh/tcp
    firewall-cmd –permanent –add-port=http/tcp
    firewall-cmd –permanent –add-port=https/tcp
    firewall-cmd –permanent –add-port=netbios-ssn/tcp
    firewall-cmd –permanent –add-port=netbios-ssn/udp
    firewall-cmd –permanent –add-port=netbios-ns/udp
    firewall-cmd –permanent –add-port=netbios-ns/tcp
    firewall-cmd –permanent –add-port=netbios-dgm/udp
    firewall-cmd –permanent –add-port=netbios-dgm/tcp
    firewall-cmd –permanent –add-port=sunrpc/tcp
    firewall-cmd –permanent –add-port=sunrpc/udp
    firewall-cmd –permanent –add-port=microsoft-ds/udp
    firewall-cmd –permanent –add-port=microsoft-ds/tcp
    firewall-cmd –reload

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>