Open a Linux Firewall port with firewall-cmd




In Fedora/CentOS/RedHat, the firewall is on by default. This is a good secure-by-default practice. If you do not know that the firewall is on though, you may be wondering why you cannot connect to a web service that is listening on your machine and works fine locally, but external connections cannot be made.

This example will demonstrate how to open inbound ports and also check what ports, service, and zones are available on your machine.

Show current rules

Some rules may have been added as ports or as services.

firewall-cmd --list-all
firewall-cmd --list-ports
firewall-cmd --list-services

List zones

Before adding a rules you need to know which zone you are adding it to. You can list all the zones with the following command.

firewall-cmd --list-all-zones

In most common cases, you want to use the public zone or FedoraServer to allow or block traffic to the machine from other IPs.

Add a service/port

Note the difference between --add-service and --add-port. Services can be defined in /etc/services.

firewall-cmd --add-port=8009/tcp --permanent
firewall-cmd --reload

Without the --permanent flag, it will not persist after reboot.

You may want to specify the zone. Usually omitting it and leaving it to the default is what you want.

firewall-cmd --add-port=8009/tcp --permanent --zone=public

Remove a service/port

To remove a port, follow a similar process but call --remove-port or --remove-service. Be sure to reload also.

firewall-cmd --remove-port=8009/tcp --permanent
firewall-cmd --reload


After reading this, you should understand how to open inbound ports on firewalld in Linux using firewall-cmd.