how to block only a specific port (or ports) with firewalld firewall-cmd

Latest response

Scenario:
Inside my firewall on my local network, I want firewalld to by default allow everything. It should basically be running, but essentially you shouldn't be able to tell it is running because it would not block anything when started up and running.

Now, lets say I want to block a specific ports, lets say http/https (ports 80 and 443), from anywhere that may try to make those connections.

In order to accomplish the first part (firewalld doing nothing by default), I've configured my NIC to be in the "trusted" zone. So far this seems to work, with firewalld running, I can still access all ports on the server.

I can't however figure out how to block only http and https ports though....

I know this is opposite of how you normally want to use a firewall, I don't want to block all and only open certain ports, I want to allow all and only block certain services...

Responses

You should be able to do this with a rich rule. Something along the lines of:

firewall-cmd --permanent --add-rich-rule='rule family=ipv4 port port="443" protocol="tcp" reject'