add rule to firewalld in Centos7 to allow all traffic from a server
Solution 1
I tried to add source using this:
sudo firewall-cmd --permanent --zone=work --add-source=[host_IP]
But still couldn't make the MPI application run correctly. Then decided that the only way to enable MPI on this cluster is to make a rule to accept all traffic between the nodes. I ran those 2 commands.
sudo firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -s [server+IP] -j ACCEPT
firewall-cmd --reload
and it worked like a charm.Not sure if this is the best solution security wise though.
Solution 2
Firstly check which zone your firewall is using ATM:
firewall-cmd --get-active-zones
Then try the following:
firewall-cmd --zone=public --add-port=80/tcp --permanent
Don't forget to replace the zone and the port with the one you are looking for. After that you need to reload the firewall:
firewall-cmd --reload
This should solve your issue. For further commands use the --help or Google.
![east.charm](https://i.stack.imgur.com/2IWTf.jpg?s=256&g=1)
east.charm
A CS Engineer. Interested in parallel programming and more...
Updated on June 26, 2022Comments
-
east.charm about 2 years
I have a small cluster with Centos7. I'm trying how to use the new firewalld.
I need a rule to allow all traffic between those servers. I was able to do it with:
sudo iptables -A INPUT -s [hostname] -j ACCEPT
and it worked. But now I have to use firewall-cmd because of Centos 7. How can I add a rule to allow all traffic between my nodes? I'm trying to run MPI on them but the firewalld is rejecting the connection so the solution I thought of came to this.
My current firewall-cmd configuration is:
$ firewall-cmd --list-all work (default, active) interfaces: eno1 sources: services: dhcpv6-client ipp-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules:
-
east.charm almost 9 yearswhy is this down voted?
-
-
east.charm almost 9 yearsthanks, my problem with MPI was not solved by adding ports (usually ssh or 22). It was solved by adding the whole server IP to the sources as explained in my answer.
-
Bert almost 4 yearsIt is not a bad solution. What I'm using nowdays is something similar.
firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" port port=10051 protocol=tcp source address="193.XX.XX.XXX" accept' --permanent
With this the connection on 10051 is allowed even if the interface is in the groupdrop
. This way everything would be dropped, noone can come in UNLESS the source IP is the one I've specified AND the PORT. Easy :)