There may be a case when you need to add or remove ports when firewalld is disabled. In such cases “firewall-offline-cmd” can be used as it is an offline command-line client of the firewalld daemon. A port can be added or removed via firewall-offline-cmd in case firewalld is not active.
Verify firewalld sattus
Before we proceed, make sure the firewalld status is offline (dead).
# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: inactive (dead) Docs: man:firewalld(1)
The status of firewalld is inactive(dead) as per above output.
Adding Port to default zone
1. The syntax to add a port with firewall-offline-cmd is:
# firewall-offline-cmd --port=[port]:tcp
2. Now lets try adding a port 9988:
# firewall-offline-cmd --add-port=9988:tcp Adding port '9988/tcp' to default zone. success
By default when you do not provide the zone name, the “default” zone is used for adding the port.
3. To verify the port addition:
# firewall-offline-cmd --list-all public target: default icmp-block-inversion: no interfaces: sources: services: ssh dhcpv6-client ports: 9988/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
Adding Port to a Specific Zone
1. The syntax to add a port in a specific zone is:
# firewall-offline-cmd --zone=[zone-name] --add-port=[port]:tcp
2. For example add 9988 port to the zone “myzone” :
# firewall-offline-cmd --zone=myzone --add-port=9988/tcp success
Here the port 9988/tcp is added to the “myzone” zone.
3. To verify the port addition:
# firewall-offline-cmd --zone=myzone --list-all myzone target: ACCEPT icmp-block-inversion: no interfaces: sources: services: ports: 9988/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
Removing the Port
1. To remove a port from the default zone:
# firewall-offline-cmd --remove-port=[port]/tcp
2. To remove it from a specific zone:
# firewall-offline-cmd --zone=--remove-port=[port]/tcp
3. To verify the port removal, use the below commands:
For default zone:
# firewall-offline-cmd --list-all
For a specific zone (myzone):
# firewall-offline-cmd --zone=myzone --list-all
To know more about firewall-offline-cmd command, refer to its man page:
$ man firewall-offline-cmd