firewall-cmd - ports vs services - how are you using it?

Latest response

I like concept so far and it seems intuitive. One thing I am struggling with is probably more of a preference thing - and now I am curious how others look at this aspect.

Coming from IPtables - I feel more comfortable just dealing in terms of ports. However, I now see a lot of documentation indicating "--add-service". That seems rather productive. The part I am "missing" though.. if I enable a service, shouldn't I now see the port in the --list-ports output?

Take the following example:

[root@testbox ~]# firewall-cmd --list-ports 
22/tcp
[root@testbox ~]# firewall-cmd --permanent --add-service=http
success
[root@testbox ~]# firewall-cmd --reload
success
[root@testbox ~]# firewall-cmd --list-ports 
22/tcp
[root@testbox ~]# 

Which now has me wondering: should you use either "ports" or "services" (but not both) to manage the firewall, or should they be used together?

Responses

Great question,

I would also like to see the behaviour you're expecting (ie. displaying port numbers and even associated services in the --list-ports).

Something similar to:

[root@testbox ~]# firewall-cmd --list-ports 
22/tcp
80/tcp.http
443/tcp.http
9001/tcp.myservice

--list-all will give you both services and ports, but it still doesn't give you insight into which ports are opened in each service if you're troubleshooting another admin's configuration (for example).

The approach I plan on taking (slow migration to RHEL7 here) is defining custom services in /etc/firewalld for all services and using these services exclusively, but I do have concerns about the visibility (to admins) of what each service enables.

Hopefully someone has an obvious/overlooked answer!

Keep in mind a Service can have a much wider definition than just a protocol and port number. It can also have a helper module and/or a destination IP, either IPv4 or IPv6. That's a lot of info to display!

I'll keep an eye on this thread. We can definitely raise an RFE to improve firewall-cmd's display if this ends up unsolved.

Displaying src/dst/port wouldn't be too much... iptables is a good example of this.

It would also make it easy to determine the ports that belong to a specific service using grep etc.

Thanks Jamie.
Your explanation made me realize I need to broaden my definition of "service" to be more inclusive (which makes sense). I had literally equated "service" just to mean "process".

I'm still trying to wrap my head around the idea that I will no longer focus solely on ports, like in the past.

I should add a paragraph to explain this in any section of the Security Guide guide or System Administration Guide where the --list-ports and --list-services commands are first explained.

Another related point, some services can operate on a wide range of ports but it is not obvious which ports the --add-service command option will open. For example, the vnc-server service opens ports for displays :0 to :3, which may or may not be enough, but still needs to be made more transparent in some way.

Stephen,
I should have prefaced by explaining that I had not necessarily been diligent in my research ;-) Initially I was more curious whether firewall-cmd was intended to be used just for ports, or just for services... or whether you need to worry about both - which I now have an answer ;-)

Now that I have a better understanding of how the functionality should be utilized, it will probably be easier for me to grasp the documentation.