firewall-cmd - ports vs services - how are you using it?
I like concept so far and it seems intuitive. One thing I am struggling with is probably more of a preference thing - and now I am curious how others look at this aspect.
Coming from IPtables - I feel more comfortable just dealing in terms of ports. However, I now see a lot of documentation indicating "--add-service". That seems rather productive. The part I am "missing" though.. if I enable a service, shouldn't I now see the port in the --list-ports output?
Take the following example:
[root@testbox ~]# firewall-cmd --list-ports
22/tcp
[root@testbox ~]# firewall-cmd --permanent --add-service=http
success
[root@testbox ~]# firewall-cmd --reload
success
[root@testbox ~]# firewall-cmd --list-ports
22/tcp
[root@testbox ~]#
Which now has me wondering: should you use either "ports" or "services" (but not both) to manage the firewall, or should they be used together?
Responses
Great question,
I would also like to see the behaviour you're expecting (ie. displaying port numbers and even associated services in the --list-ports).
Something similar to:
[root@testbox ~]# firewall-cmd --list-ports
22/tcp
80/tcp.http
443/tcp.http
9001/tcp.myservice
--list-all will give you both services and ports, but it still doesn't give you insight into which ports are opened in each service if you're troubleshooting another admin's configuration (for example).
The approach I plan on taking (slow migration to RHEL7 here) is defining custom services in /etc/firewalld for all services and using these services exclusively, but I do have concerns about the visibility (to admins) of what each service enables.
Hopefully someone has an obvious/overlooked answer!
Keep in mind a Service can have a much wider definition than just a protocol and port number. It can also have a helper module and/or a destination IP, either IPv4 or IPv6. That's a lot of info to display!
I'll keep an eye on this thread. We can definitely raise an RFE to improve firewall-cmd's display if this ends up unsolved.
I should add a paragraph to explain this in any section of the Security Guide guide or System Administration Guide where the --list-ports and --list-services commands are first explained.
Another related point, some services can operate on a wide range of ports but it is not obvious which ports the --add-service command option will open. For example, the vnc-server service opens ports for displays :0 to :3, which may or may not be enough, but still needs to be made more transparent in some way.
There is an upstream bug relevant to this subject Bug 1184232 - Provide way to show details of pre-defined firewalld services
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
