Access to certain ports are blocked or dropped by firewalld unless added to a firewall zone. This post outlines steps to add source, service, and ports to the firewall zones in CentOS/RHEL 7 and 8 systems.
Adding Service to Firewall Zone
Adding a service to a zone is the simplest way to configure the firewall.
– To allow access to a new service, use the “–add-service” service option.
– Include the “–permanent” option to make the rule persistent across reboots.
For example, to add the cockpit, dhcpv6-client, http, https, vnc-server and ssh services to the internal zone, you would use the following command:
# firewall-cmd --add-service cockpit --zone=internal --permanent # firewall-cmd --add-service dhcpv6-client --zone=internal --permanent # firewall-cmd --add-service http --zone=internal --permanent # firewall-cmd --add-service https --zone=internal --permanent # firewall-cmd --add-service vnc-server --zone=internal --permanent # firewall-cmd --add-service ssh --zone=internal --permanent
Manage incoming traffic to a zone based on the traffic source
To allow incoming traffic from a sending node, use the following command:
# firewall-cmd --add-source=10.1.2.3 --zone=internal --permanent
Manage Network Traffic
– Network traffic through the zone’s services uses the ports of those services.
– Ports should be opened to accept traffic, you can open additional ports for network access by specifying the port number and the associated protocol.
– Use the “–add-port” option to allow access to specific ports. Ports must be specified by using the format: port-number/port-type.
– Port types can be tcp, udp, sctp, or dccp.
– Ensure that the type and the network traffic match.
– For example to add ports 1522, 7001, 5901, 443, and 80 over tcp and port 53 over udp, you would use the following command:
# firewall-cmd --zone=internal --add-port=1522/tcp --add-port=7001/tcp --add-port=5901/tcp --add-port=443/tcp --add-port=80/tcp --add-port=53/udp --permanent
Reload the Configuration
After all of the changes have been made, reload the configuration so that the current permanent configuration will become the new runtime configuration.
# firewall-cmd --reload
List zone Configuration
To list everything added for or enabled in the “internal” zone, use the following command:
# firewall-cmd --list-all --zone=internal internal target: default icmp-block-inversion: no interfaces: sources: 10.1.2.3 services: cockpit dhcpv6-client http https ssh vnc-server ports: 1522/tcp 7001/tcp 5901/tcp 443/tcp 80/tcp 53/udp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: