How to open a TCP port using firewall-config?

In the previous version of Ask Fedora, I asked how I could open a TCP port using firewall-config, that forum is now gone and I forgot how to do it.

Can someone provide all the steps again?, thanks in advance!.

Hello delacosta78,

If you want to open up a TCP port first open the terminal, now that it’s open say for example if you wanted to open port 8080 just as an example you would type in firewall-cmd --zone=dmz --add-port=8080/tcp
to get a list of active ports that are open just type in firewall-cmd --zone=dmz --list-ports

I believe you have to do this with sudo privilages.
I hope this helps.

1 Like

Hi @donaldsmouse! Welcome to the ask.fedora community! Please do take a few minutes to go over the introductory posts in #start-here when you have the time. They contain lots of useful information.

@delacosta78, to expand a bit on @donaldsmouse’s anwser, here’s a useful link to Fedora quickdocs on the matter.

In addition to info on opening the port it also contains other useful tips and info about firewalld.

GUI firewalld manager

One other tip for better understanding firewalld is using GUI application. It can be installed with

sudo dnf install firewall-config

but I think it’s installed by default. Start typing ‘firewall’ in gnome’s launcher to find it.

It’s very useful to see in GUI which services firewalld knows about by default, which ports are associated with these services, which connections belong to which zones and such. It also allows changing configuration too (and opening ports).

Firewalld services

Also keep in mind that the easiest way to manage open/closed ports in firewalld is with the use of services. By default it knows quite a few (with default ports associated with the services).

So if you want to temporarily allow access to a webserver, for example, on your machine, you can use the following command:

sudo firewall-cmd --add-service http

This way it’s easy to understand, what you have opened access to, not just some random numbers.
The difference between temporary vs. permanent configuration changes is in the quickdoc I’ve linked to.

Adding your own services

I also want to share my way of managing FirewallD ports/services. While direct way @donaldsmouse provided is totally ok to open a couple of ports, especially for short-term use, I don’t like it very much as a permanent solution. When you have quite a number of them, it could de difficult to remember, which port you need for what exactly. Or when you need to open the port only sometimes.

So I use a method a bit more involved, but easier to manage in the long-term. I add my own service definitions to firewalld.

It’s easy to do. Service definitions are small xml files easy to read and change with any text editor.

Let’s say for example I want to allow sshd access to my machine, but to change the port from default 22 to something harder to guess.

I usually copy some of default service.xml file as a template for my own, and rename it to something unique.

sudo cp -v /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/my-ssh.xml

Then I change anything I want in a new file – protocol and port to the one I need, description to remember what it’s for or why I do it this way, etc.

For firewalld to see new files/services or changes to the existing files we need

sudo firewall-cmd --complete-reload

and then we can allow our new service (i.e. open a new port):

sudo firewall-cmd --add-service=my-sshd --zone=my-zone
sudo firewall-cmd --runtime-to-permanent

It’s then easy to manage (open/close) ports I need by service name, not port numbers. Also one service can have a number of ports associated with it, and I don’t have to remember the numbers.

And if I need to transfer my custom service definitions to another computer I just copy the files I need)

5 Likes

Hi @delacosta78,
the old ask forum is not completely gone. So I you want to search something there and don’t have to the time to wait for an answer here, you can go to https://askbot.fedoraproject.org and locate the Q/A there. Since the search function on the old askbot isn’t really good, you can also use a meta search.

I just realised there was a quick-doc about this:

https://docs.fedoraproject.org/en-US/quick-docs/firewalld/

Would you perhaps review it and improve it? We could link to it directly in the future.

1 Like

Yep, I’ve given a link to it in my reply.

I can try I think, but I’ll need an editor :slight_smile: I tend to go into too much detail. Time is also a bit of a problem to me. Giving a few tips here (even with too much detail) is one thing, writing clear documentation is another level entirely :slight_smile:

1 Like

Sure, the quick doc already looks quite complete. If you could verify the info there, we can remove the “unreviewed” warning that it has on the top of the page. Lots of folks on the docs team there to help/review, so no need to worry about that bit :slight_smile:

2 Likes

Hello and thank you for your reply, however I don’t want to open a demilitarized zone, I didn’t need to do that before, just to open the port I needed.

Hello @florian, thank you for your suggestion, I found the one I created there and I’m going to paste the instructions here, that’s what I was looking for!:

A bit more details would be helpful (used Fedora version, your networking setup). Assuming you’re on a recent version, i.e. having firewalld and firewall-config , and that it’s the firewall on your machine that’s the culprit (rather than some other router), try this:

  1. Open firewall-config (that’s “Firewall” in the desktop menus I believe).
  2. Type in the requested password (your own or that of the root user, depending on if your user is configured as an administrator or not).
  3. Select Permanent from the Configuration drop-down.
  4. Go to the Services tab, select the transmission-client service.
  5. Click on Add , add 65432 as the port, leave tcp as the protocol and click OK .
  6. Here it may again ask for the password.
  7. In ZonesServices enable the transmission-client service for your network zone (the default zone is shown in the lower right of the window).
  8. OptionsReload firewalld to make the changes effective.
2 Likes

What I didn’t specified however is that I needed to open a port for Transmission, so I clarify that.

@delacosta78,

with the cli commands opening default port for the Transmission client would be:

sudo firewall-cmd --add-service=transmission-client
sudo firewall-cmd --runtime-to-permanent

Also please note that with default Fedora configuration (with firewalld zone called “FedoraWorkstation” used) – all ports higher than 1026 are open. Meaning that transmission ports are open too by default.

2 Likes

Hello and thank you for your contribution.

Do you mean I don’t have to follow the steps I posted earlier?

Well, this part:

– means exactly that – you don’t have to follow the steps you’ve posted. IF you haven’t changed default firewalld configuration. :slight_smile:

One more note: open ports for transmission are needed so that other clients from the Internet could connect to your client – so that then can receive parts of the downloads that you already have and they don’t.

But such connections (incoming connections) could also be blocked by your Internet provider and/or your home router. So open ports on your computer doesn’t guarantee that other client can connect to yours.

And transmission will work even if nobody able to connect to you, it’ll be just a bit slower to start new downloads, as all the connections would have to be made by your client, not by other clients in the network.

And this part:

– does the same as the steps you’ve posted, but in cli, not in GUI program.

With one exception: author adds port 65432 to be open in addition to default transmission one (which is 51413), but I couldn’t find any reference to transmission using this port, and he doesn’t explain why he does it.

1 Like

I see…

I know…

Yes, I know…

Right…

Ohhh!, cool!..

That’s just a random port I’ve been using for a long time, it worked when I was on Windows, it should work on Fedora as well, right?

@delacosta78, sorry to bother you with unnecessary details then )

It totally would work, I do use transmission with non-standart port as well.

1 Like

You don’t need to apologize, you had to clarify the concepts.

If I want to open a port for another application, such as Emby, should I replace the word transmission, like this?:

sudo firewall-cmd --add-service=emby
sudo firewall-cmd --runtime-to-permanent

No, you can use only those names/services firewalld knows about. The list is quite large (about 150 services by default), but Emby isn’t among them.

You can get the list of all services firewald knows about with

sudo firewall-cmd --get-services

The list you get is not very easy to read though :slight_smile:

It may be more convenient to page trough all the services in GUI (with firewall-config we’ve talked about already in this thread).

As I’ve written in my first reply, new services are very easy to add to this list – using GUI, by adding/editing xml files or using cli commands.

@nightromantic, then I have to repeat the steps in post # 9, right?:

@delacosta78, as you want to add new service, not to change one that was already there, you’ll need to change several steps from post #9 accordingly:

  • Here we’ll add a new service by pressing plus button under the service names list.

  • Fill in new service name, for example my-emby. I like to prefix services names I add with "my- " so that I can easily find them in the future. Click ok to close the window.

  • Now select newly created service name in the Services tab.

  • Click on Add , add port numbers and protocol (tcp/udp) required. One service can have several different ports open, and also can have port ranges open, i.e. 8080-8090.

Something like this :slight_smile: