firewall-offline-cmd is an offline command-line client of the firewalld daemon. It should be used only if the firewalld service is not running. A port can be added or removed via firewall-offline-cmd in case firewalld is not active.
firewall-offline-cmd Command Examples
1. For adding a port:
# firewall-offline-cmd --port=XXXX:tcp
2. For removing a port:
# firewall-offline-cmd --remove-port=XXXX/tcp
3. If a zone is not defined, the port will be added to the default zone. To add a port into a specific zone:
# firewall-offline-cmd --zone=[zone-name] --add-port=XXXX/tcp
4. To remove a port from a specific zone:
# firewall-offline-cmd --zone=[zone-name] --remove-port=XXXX/tcp
Since the port gets added in [zone-name].xml file, the port will remain added even after we enable or reload firewalld service.
5. To list all the ports under a particular zone:
# firewall-offline-cmd --zone=[zone-name] --list-all
6. To list all the ports under all the zones:
# firewall-offline-cmd --list-all
Refer to the man page for more information on firewall-offline-cmd.
$ man firewall-offline-cmd
Before running any of the above commands, make sure the firewalld service is offline. Changes in firewalld config using firewall-offline-cmd command should only be done when the firewalld service is offline.
# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: inactive (dead) Docs: man:firewalld(1)