How to allow/ban port through firewall on AlmaLinux Print

sudo dnf install firewalld

sudo systemctl enable firewalld
sudo systemctl start firewalld

How to allow a port through firewall on AlmaLinux

Follow the step by step instructions below to allow ports or services through firewalld on AlmaLinux. You’ll also see how to check the open ports that firewalld has configured.

1. When checking for open firewall ports on RHEL 8 / CentOS 8 Linux it is important to know that firewall ports can be opened in two main different ways. Firstly, the firewall port can be opened as part of a pre-configured service. Take this example where we open the port for HTTP to the public zone.

   # firewall-cmd --zone=public --add-service=http --permanent
   

   Of course, adding the HTTP service to firewalld is the equivalent of opening port 80.

1. Secondly, the ports can be open directly as custom user predefined ports. Take this example where we open port 8080.

   # firewall-cmd --zone=public --add-port 8080/tcp --permanent
   

   Since 8080 doesn’t have an associated service, it’s necessary for us to specify the port number rather than a service name if we want to open this port.

2. To check which service ports are open, execute the following command.

   # firewall-cmd --zone=public --list-services
   cockpit dhcpv6-client http https ssh
   

   The above services (cockpit, DHCP, HTTP, HTTPS, and SSH) have their relevant port numbers open.

3. To check which port numbers are open, use this command.

   # firewall-cmd --zone=public --list-ports
   20/tcp 8080/tcp
   

   The above ports, 20 and 8080, are open to incoming traffic.

4. After you’ve allowed your ports and services through the firewall, we’ll need to reload firewalld for the changes to take effect. All rules with the --permanent option will now become part of the runtime configuration. Rules without this option will be discarded.

   # firewall-cmd --reload
   

5. We can also see a list of all open services and ports by using the --list-all option.

   # firewall-cmd --list-all
   public (active)
     target: default
     icmp-block-inversion: no
     interfaces: ens160
     sources: 
     services: cockpit dhcpv6-client http ssh
     ports: 443/tcp
     protocols: 
     masquerade: no
     forward-ports: 
     source-ports: 
     icmp-blocks: 
     rich rules:
   

1. Note that firewalld works with zones. Depending on which zone your network interface(s) is using, you may need to add your allowed port to that particular zone. The first step above shows how to add a rule to the “public” zone. To see the rules for that zone specifically, continue using the --zone= syntax.

   # firewall-cmd --list-all --zone=public
   public (active)
     target: default
     icmp-block-inversion: no
     interfaces: ens160
     sources: 
     services: cockpit dhcpv6-client http ssh
     ports: 443/tcp
     protocols: 
     masquerade: no
     forward-ports: 
     source-ports: 
     icmp-blocks: 
     rich rules:
   

2. In case you need to close one of the previously configured open ports, you can use the following command syntax. In this example, we close the port for HTTPS.

   # firewall-cmd --zone=public --permanent --remove-service=https
   

That’s all there is to it. To learn more about firewalld and the firewall-cmd Linux command, check out our dedicated guide on introduction to firewalld and firewall-cmd.

Common Port Examples

Use the commands below as an easy reference guide to allow some of the most common services through the firewall on AlmaLinux.

1. Allow HTTP through firewall.

   # firewall-cmd --zone=public --add-service=http --permanent
   

2. Allow HTTPS through firewall.

   # firewall-cmd --zone=public --add-service=https --permanent
   

3. Allow MySQL through firewall.

   # firewall-cmd --zone=public --add-service=mysql --permanent
   

4. Allow SSH through firewall.

   # firewall-cmd --zone=public --add-service=ssh --permanent
   

   ---

    

   ---

5. Allow DNS through firewall.

   # firewall-cmd --zone=public --add-service=dns --permanent
   

6. Allow PostgreSQL through firewall.

   # firewall-cmd --zone=public --add-service=postgresql --permanent
   

7. Allow telnet through firewall.

   # firewall-cmd --zone=public --add-service=telnet --permanent
   
   
   
   

   Steps to Block or close ports/services in AlmaLinux or Rocky Linux 8

   Step 1: To block any already opened service or port, we can use the same command that we have used above to open them. However, if you are unsure that what are the active ones you can use again the command to list them all-

   sudo firewall-cmd --list-all

   Step 2: Now let’s say you want to close port number 443  or block the service ssh in the firewall. The syntax will be the same we have used to open them, however instead of using option add we use the remove this time.

   Syntax to remove some service-

   firewall-cmd --zone=public --permanent --remove-service service-name

   For example– If we want to blocks service ssh

   firewall-cmd --zone=public --permanent --remove-service ssh

   Syntax to block some port number:

   firewall-cmd --zone=public --permanent --remove-port type-number

   Example– Let’s block port 443

   sudo firewall-cmd --zone=public --permanent --remove-port 443/tcp

   Reload firewall:

   sudo firewall-cmd --reload

   
   
   Block Private Network Scanning:

   firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.0.0.0/8" reject'
   firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="172.16.0.0/12" reject'
   firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.0.0/16" reject'
   firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="100.64.0.0/10" reject'
   
   

   Reload firewall:

   sudo firewall-cmd --reload