Chapter 13. Configuring the web console listening port

Learn how to allow new ports or change the existing ports using the RHEL 9 web console.

13.1. Allowing a new port on a system with active SELinux

Enable the web console to listen on a selected port.



  • For ports that are not defined by any other part of SELinux, run:

    $ sudo semanage port -a -t websm_port_t -p tcp PORT_NUMBER
  • For ports that already are defined by other part of SELinux, run:

    $ sudo semanage port -m -t websm_port_t -p tcp PORT_NUMBER

The changes should take effect immediately.

13.2. Allowing a new port on a system with firewalld

Enable the web console to receive connections on a new port.


  • The web console must be installed and accessible. For details, see Installing the web console.
  • The firewalld service must be running.


  1. To add a new port number, run the following command:

    $ sudo firewall-cmd --permanent --service cockpit --add-port=PORT_NUMBER/tcp
  2. To remove the old port number from the cockpit service, run:

    $ sudo firewall-cmd --permanent --service cockpit --remove-port=OLD_PORT_NUMBER/tcp

If you only run the firewall-cmd --service cockpit --add-port=PORT_NUMBER/tcp without the --permanent option, your change will disappear with the next reload of firewalld or a system reboot.

13.3. Changing the web console port

Change default transmission control protocol (TCP) on port 9090 to a different one.



  1. Change the listening port with one of the following methods:

    1. Using the systemctl edit cockpit.socket command:

      1. Enter the following command:

        # systemctl edit cockpit.socket

        This opens the /etc/systemd/system/cockpit.socket.d/override.conf file.

      2. Modify the content of override.conf to contain the following configuration:


        The ListenStream option specifies the desired address and TCP port.


        The first line with an empty value is intentional. systemd allows multiple ListenStream directives to be declared in a single socket unit. An empty value in a drop-in file resets the list and disables the default port 9090 from the original unit.

    2. Alternatively, add the previous socket configuration to the /etc/systemd/system/cockpit.socket.d/listen.conf file.

      Create the cockpit.socket.d. directory and the listen.conf file if they do not exist yet.

  2. Enter the following commands for changes to take effect:

    # systemctl daemon-reload
    # systemctl restart cockpit.socket

    If you used systemctl edit cockpit.socket in the previous step, running systemctl daemon-reload is not necessary.

Verification steps

  • To verify that the change was successful, connect to the web console with the new port.