How to add/remove ports without starting firewalld in RHEL?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 8

Issue

  • Is there a way to add or remove ports from the firewalld configuration whilst the firewall is disabled?
  • I don't want to start firewalld for adding or removing ports as it will cause an outage.

Resolution

  • firewall-offline-cmd is an offline command line client of the firewalld daemon. It should be used only if the firewalld service is not running.

  • A port can be added or removed via firewall-offline-cmd in case firewalld is not active.

  • For adding a port:

# firewall-offline-cmd --port=XXXX:tcp
  • For removing a port:
# firewall-offline-cmd --remove-port=XXXX/tcp

  • If a zone is not defined, the port will be added to the default zone.

  • To add a port into a specific zone:

# firewall-offline-cmd --zone=<zone-name> --add-port=XXXX/tcp
  • To remove a port from a specific zone:
# firewall-offline-cmd --zone=<zone-name> --remove-port=XXXX/tcp
  • Since the port gets added in <zone-name>.xml file, the port will remain added even after we enable or reload firewalld service.

NOTE: Replace XXXX with the actual port numbers.

  • Refer to the man page for more information on firewall-offline-cmd.
$ man firewall-offline-cmd

Diagnostic Steps

  • The status of firewalld is inactive(dead).
[root@rhel7 ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:firewalld(1)
  • We now add the port 1234/tcp.
[root@rhel7 ~]#  firewall-offline-cmd --port=1234:tcp
Adding port '1234/tcp' to default zone.
success
  • The port is listed under the default public zone.
[root@rhel7 ~]# firewall-offline-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh dhcpv6-client
  ports: 1234/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:
  • We double-check the status of firewalld.
[root@rhel7 ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:firewalld(1)
  • To remove the port, we use --remove-port option.
[root@rhel7 ~]# firewall-offline-cmd --remove-port=1234/tcp
success
  • The port is no longer listed under the public zone.
[root@rhel7 ~]# firewall-offline-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh dhcpv6-client
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:
  • We add port into a specific zone.
[root@rhel7 ~]# firewall-offline-cmd --zone=trusted --add-port=1234/tcp
success
  • The port is listed under the trusted zone.
[root@rhel7 ~]# firewall-offline-cmd --zone=trusted --list-all
trusted
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 1234/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:
  • We now remove the port from the trusted zone.
[root@rhel7 ~]# firewall-offline-cmd --zone=trusted --remove-port=1234/tcp
success
  • The port is no longer listed under the trusted zone.
[root@rhel7 ~]# firewall-offline-cmd --zone=trusted --list-all
trusted
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments