Open a Port on CentOS/RHEL

Along with numerous other changes, CentOS 7/RHEL 7 introduces firewalld:

Firewalld provides a dynamically managed firewall with support for network/firewall zones that define the trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings, ethernet bridges and IP sets. There is a separation of runtime and permanent configuration options. It also provides an interface for services or applications to add firewall rules directly.

God knows learning iptables wasn't hard enough, here comes a big fat new layer to wrangle with the ostensible purpose of making things simpler while inherently adding a whole bunch of complexity and obscure inner workings. What could be more Red Hat? If your first inclination is to disable it and revert to pure iptables, power to you:
# systemctl stop firewalld # systemctl disable firewalld # systemctl mask --now firewalld # yum install iptables-services # systemctl start iptables # systemctl start iptables6 # systemctl enable iptables # systemctl enable iptables6
You are now free to use the conventional iptables configuration, i.e. issuing then dropping raw iptables commands to be run on boot into /etc/sysconfig/iptables
# iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT # iptables-save > /etc/sysconfig/iptables # service iptables restart

However if you choose to embrace the new paradigm it's simple enough to work with if you're willing to etch out some new space in your memory.

Open a port:
# firewall-cmd --permanent --add-port=80/tcp

Open a port range:
# firewall-cmd --permanent --add-port=80-81/tcp

After you have made the configuration change it is necessary to update the state of the firewall:
# firewall-cmd --reload

An interesting part of this new system for someone who is otherwise resentful may be the ability to open a service by name:
# firewall-cmd --permanent --add-service=http
In some cases this will execute additional operations, for example automatically loading relevant netfilter modules. Or, more interestingly, executing user-defined instructions...


There are no comments for this item.