firewalld: if I change the ssh service port, is it enough to allow the new port number, or should I add a new service?
Solution 1
I assume the port 22 is hardcoded in the ssh service definition for firewalld
On my CentOS/Fedora systems the default service definitions are stored in xml files in /usr/lib/firewalld/services
. The filename is the name of the service. These are overridden by the system config stored in /etc/firewalld/services
.
To change the ssh port you could copy /usr/lib/firewalld/services/ssh.xml
to /etc/firewalld/services/ssh.xml
and modify it for your purpose.
You then need to relod the configuration
firewall-cmd --reload
Now your system should be allowing ssh connections on your new port.
I would certainly use a service name over a port number as that makes it a bit clearer what's going on. Whether creating a new service or overriding an existing one is better I wouldn't like to say. It's not exactly hard to figure out what's going on.
Solution 2
I had this problem w/ SSH after changing the port in CentOS 7. The issue is with SElinux - you need to add a context for the new port or, if you don't use SElinux, disable it. Also, you don't need to add a new service - just whitelisting the new port will do.
Related videos on Youtube
giorgio79
Updated on September 18, 2022Comments
-
giorgio79 over 1 year
I changed the ssh port to an arbitrary number, and noticed firewalld no longer allowed ssh login. I assume the port 22 is hardcoded in the ssh service definition for firewalld. Is it enough if I allow the new port for TCP traffic, or should I define a new service for the custom ssh port?
-
user9517 over 8 yearsThis doesn't answer the question,
-
Mugurel over 8 yearsI edited my answer :)