How to open a port in firewalld

Doug G · #1 11th April 2012, 06:18 AM

Well, I just installed f17 rc3 on a kvm machine, install went well. I am connecting via SSH (no gui) and for the life of me I can't figure how to open a port in firewalld using firewall-cmd

I tried : firewall-cmd --add --zone=public --port=5911:tcp but get back the helpful message "need more than 1 value to unpack"

I know firewalld is active, if I use systemctl stop firewalld.service I can connect fine to the port in question.

Is there any decent documentation anywhere on firewall-cmd? The man page is, shall we say, content-challenged.

***DBelton*** · #2 11th April 2012, 06:27 AM

try

firewall-cmd --enable --port=5911:tcp

Doug G · #3 11th April 2012, 06:40 AM

After some more fiddling, this syntax seemed to work:

Code:

firewall-cmd --zone=public --add --port=5911/tcp

But this doesn't persist between reboots, I had to re-issue the above to re-open the port after a reboot of the vm. How does one permenantly open a port?

Oh, thanks DBelton, I didn't see your answer until I submitted this

raviprak · #4 13th May 2012, 06:54 PM

For me --enable didn't work.
$ firewall-cmd --enable --port=24800:tcp
Wrong action and mode combination
$ firewall-cmd --enable --port=24800/tcp
Wrong action and mode combination

But add did
$ sudo firewall-cmd --add --port=24800/tcp

Raphos · #5 19th May 2012, 10:39 PM

Hi,

Quote:

Originally Posted by raviprak

For me --enable didn't work.
$ firewall-cmd --enable --port=24800:tcp
Wrong action and mode combination
$ firewall-cmd --enable --port=24800/tcp
Wrong action and mode combination

But add did
$ sudo firewall-cmd --add --port=24800/tcp

Same results with $ firewall-cmd --enable --port=24800:tcp and $ firewall-cmd --enable --port=24800/tcp.

firewall-cmd --add --port=24800/tcp is working and the port is open but this doesn't persist after reboot too..

-- EDIT --

firewall-cmd --zone=public --add --port=5911/tcp doesn't persist after reboot too.

I did this but I don't know if it's clean : I edit the /usr/lib/firewalld/zones/public.xml file and change it like this

Quote:

<?xml version="1.0" encoding="utf-8"?>
<zone name="public">
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<port port="port nb" protocol="tcp"/>
<port port="port nb" protocol="udp"/>
</zone>

The port still be open after reboot.

So, if someone have a much cleaner way to do it would be nice.

**AdamW** · #6 21st May 2012, 10:06 PM

it's never clean to edit any file in /usr , as a general rule. I'm afraid I don't know the 'right' way to do it, sorry :/ but any kind of user editable config file will be in /etc, not /usr.

dd_wizard · #7 21st May 2012, 10:51 PM

I'd say you want to copy the appropriate file in /usr/lib/firewalld/zones to /etc/firewalld/zones and edit the copy:

Code:

# ll /etc/firewalld/zones
total 0

# ll /usr/lib/firewalld/zones
total 36
-rw-r-----. 1 root root 269 Apr 20 12:33 block.xml
-rw-r-----. 1 root root 304 Apr 20 12:33 dmz.xml
-rw-r-----. 1 root root 238 Apr 20 12:33 drop.xml
-rw-r-----. 1 root root 335 Apr 20 12:33 external.xml
-rw-r-----. 1 root root 412 Apr 20 12:33 home.xml
-rw-r-----. 1 root root 431 Apr 20 12:33 internal.xml
-rw-r-----. 1 root root 329 Apr 20 12:33 public.xml
-rw-r-----. 1 root root 194 Apr 20 12:33 trusted.xml
-rw-r-----. 1 root root 354 Apr 20 12:33 work.xml

dd_wizard

**AdamW** · #8 22nd May 2012, 06:29 AM

that sounds pretty likely; it's a common design these days.

errorxp · #9 22nd May 2012, 08:57 AM

Or, instead of bashing your head against the wall you could uninstall firewalld and install iptables and system-config-firewall (gui tool). That's what I did anyway. Won't be touching firewalld until the gui tool is done.

dd_wizard · #10 22nd May 2012, 07:09 PM

Quote:

Originally Posted by AdamW

that sounds pretty likely; it's a common design these days.

Just out of curiousity, is that level of firewalld administration documented anywhere?

dd_wizard

**AdamW** · #11 22nd May 2012, 08:03 PM

I have no idea. I voted for comment #9. =)

***DBelton*** · #12 22nd May 2012, 08:17 PM

While I agree that iptables is getting a bit long in the tooth and needs a complete overhaul, I won't be putting firewalld on my main box here for quite awhile yet.

I have been testing it out on my other boxes, but until I am certain that it is secure and works properly, it won't go on my main box.

Sorry, but to me, security trumps ease of use in a package like a firewall.

But I do like where firewalld is heading. It looks like it will be a pretty good package once finished (unless they let the gnome developers around it

)

dd_wizard · #13 22nd May 2012, 08:18 PM

@AdmW:

dd_wizard