How do I completely block port using firewalld?
Solution 1
The way I solved it is I added a rich rule in the trusted
zone:
rule family="ipv4" port port="6" protocol="tcp" drop
From what I know, rich rules are applied first. It seems to be working correctly in my case.
Solution 2
Some generic command are below
firewall-cmd --list-ports
firewall-cmd --get-zones
firewall-cmd --zone=public --add-port=5000/tcp
#Updated the url Aleksandar Pavić reported, Thanks Aleksandar Pavić
For some more docs and more details, please check it. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-controlling_traffic#sec-Controlling_Ports_using_CLI
Related videos on Youtube
Radu Murzea
I'm a backend PHP developer working for Pentalog, where I build awesome applications using the amazing Symfony framework. My current location is Cluj-Napoca (Romania), one of Eastern Europe's main IT outsourcing center. I thrive in challenging environments and am never afraid to get my hands dirty. My passions include software development, psychology and poker.
Updated on September 18, 2022Comments
-
Radu Murzea almost 2 years
Disclaimer: It's the first time I use firewalld, be gentle :) .
I have a CentOS machine and I want to implement the following requirements using firewalld:
- Allow connections from anywhere to ports 1, 2, 3, 4.
- Allow connections to port 5 only from IP addresses IP1, IP2 and IP3
- Completely block connections to port 6, from anywhere.
So I did this:
- added the ports 1, 2, 3 and 4 to the
public
zone - added port 5 and IP addresses IP1, IP2 and IP3 to zone
trusted
Now the zones look like this:
public (active) target: default icmp-block-inversion: no interfaces: eno12345 sources: services: ssh dhcpv6-client ports: 1/tcp 2/tcp 3/tcp 4/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: trusted (active) target: ACCEPT icmp-block-inversion: no interfaces: sources: IP1 IP2 IP3 services: ports: 5/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
Note:
public
is the default zone.So the first 2 rules seem to be applied correctly.
However I got stuck with the final rule (completely block port 6). I tried multiple solutions and none seem to work.
1). What should I do to apply this?
2). How come I can connect through port 6 even though it's not explicitly listed as allowed in the firewalld configuration? No rule about it is added in
iptables
either. -
Aleksandar Pavić over 2 yearsLink is dead 404...