The Geek Diary

How to Add or Remove Ports when firewalld is Disabled

by

There may be a case when you need to add or remove ports when firewalld is disabled. In such cases “firewall-offline-cmd” can be used as it is an offline command-line client of the firewalld daemon. A port can be added or removed via firewall-offline-cmd in case firewalld is not active.

Note: Please make sure to use the command firewall-offline-cmd to add or remove ports only when firewalld is disabled.

Verify firewalld sattus

Before we proceed, make sure the firewalld status is offline (dead). 

# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:firewalld(1)

The status of firewalld is inactive(dead) as per above output.

Adding Port to default zone

1. The syntax to add a port with firewall-offline-cmd is:

# firewall-offline-cmd --port=[port]:tcp

2. Now lets try adding a port 9988:

#  firewall-offline-cmd --add-port=9988:tcp
Adding port '9988/tcp' to default zone.
success

By default when you do not provide the zone name, the “default” zone is used for adding the port.

3. To verify the port addition:

# firewall-offline-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh dhcpv6-client
  ports: 9988/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

Adding Port to a Specific Zone

1. The syntax to add a port in a specific zone is:

# firewall-offline-cmd --zone=[zone-name] --add-port=[port]:tcp

2. For example add 9988 port to the zone “myzone” :

# firewall-offline-cmd --zone=myzone --add-port=9988/tcp
success

Here the port 9988/tcp is added to the “myzone” zone.

3. To verify the port addition:

# firewall-offline-cmd --zone=myzone --list-all
myzone
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 9988/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

Removing the Port

1. To remove a port from the default zone:

# firewall-offline-cmd --remove-port=[port]/tcp

2. To remove it from a specific zone:

# firewall-offline-cmd --zone= --remove-port=[port]/tcp

3. To verify the port removal, use the below commands:

For default zone:

# firewall-offline-cmd --list-all

For a specific zone (myzone):

# firewall-offline-cmd --zone=myzone --list-all

To know more about firewall-offline-cmd command, refer to its man page:

$ man firewall-offline-cmd

You May Also Like