# systemctl start firewalld.service
# systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: active (running) since Tue 2020-10-20 09:42:03 BST; 52s ago
Docs: man:firewalld(1)
Main PID: 30228 (firewalld)
Tasks: 2
CGroup: /system.slice/firewalld.service
└─30228 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
# firewall-cmd --list-ports
5666/tcp
//open port using port number
# firewall-cmd --permanent --add-port=5565/tcp
success
//alternate way
# firewall-cmd --permanent --zone=public --add-port=5565/tcp
success
//above both are same if used zone we can specify for particular zone, if not it automatically takes public zone, as you can see below zone details
# firewall-cmd --permanent --add-port=5565/udp
success
# firewall-cmd --reload
success
# firewall-cmd --list-ports
5666/tcp 5565/tcp 5565/udp
//for remove ports on the same
#firewall-cmd --remove-port=5565/udp
or
#firewall-cmd --zone=public --remove-port=5565/udp
# firewall-cmd --list-ports
5666/tcp 5565/tcp
//if not remove the port or reflect output even after reload the service, then don't forget to execute below command, if it reflect then don't use it
#firewall-cmd --runtime-to-permanent
#firewall-cmd --reload
//open port by using application name
--------------------------------------------
below are the major thing you have to check first from the server
# firewall-cmd --get-default-zone
public
//that shows default zone in the server
# firewall-cmd --get-active-zones
public
interfaces: ens192
//this will show which ethernet are mapped to default zone
//as well you can activate the different zone as well create it
# firewall-cmd --list-all-zones
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh mdns samba-client dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh mdns samba-client dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
public (active)
target: default
icmp-block-inversion: no
interfaces: ens192
sources:
services: dhcpv6-client ssh
ports: 5666/tcp 5565/tcp 5565/udp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
trusted
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
/////////////////////////////////////////////////////////////////for view any specify zone
# firewall-cmd --zone=public --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens192
sources:
services: dhcpv6-client ssh
ports: 5666/tcp 5565/tcp 5565/udp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
//////////below command used to set the default zone. but done use it
#firewall-cmd --set-default-zone=home(your desired zone name)
///above all configuration are defined in /etc/firewalld/firewalld.conf
//you can view the ethernet status
# nmcli device status
DEVICE TYPE STATE CONNECTION
ens192 ethernet connected ens192
ens224 ethernet disconnected --
lo loopback unmanaged --
//for active the disconnected ethernet and disconnect the activate one using below command
#nmcli con up id ens192
#nmcli dev disconnect ens192
//below command are used to set or change ethernet to an particular zone
# firewall-cmd --permanent --zone=internal --change-interface=eth0
success
//etc/firewalld --you can see the configuration as well port configuration detail as well
firewalld]# ls
firewalld.conf helpers icmptypes ipsets lockdown-whitelist.xml services zones
///zones is a directory there you can find your port configurations in .xml format
# ls zones/
public.xml public.xml.old
firewalld]# cat zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="dhcpv6-client"/>
<service name="ssh"/>
<port protocol="tcp" port="5666"/>
<port protocol="tcp" port="5565"/>
<port protocol="udp" port="5565"/>
</zone>
-----------------------------
# firewall-cmd --add-service=ssh --zone=public
Warning: ALREADY_ENABLED: 'ssh' already in 'public'
success
-------------------------------------------------------------------------------------------------------
link Reference ****************************************
0 Comments