How to Open Ports with firewalld on CentOS/RHEL
DodaTech
2 min read
In this tutorial, you'll learn about How to Open Ports with firewalld on CentOS/RHEL. We cover key concepts, practical examples, and best practices.
The Problem
You start a service (web server, database, custom app) on CentOS/RHEL/Fedora, but it's not reachable from other machines. By default, firewalld blocks all incoming ports except SSH. You need to open specific ports for your application to be accessible over the network.
Quick Fix
1. Check the current firewalld status and zones
sudo firewall-cmd --state
sudo firewall-cmd --get-active-zones
Expected output:
running
public
interfaces: eth0
2. Open a port permanently
# Open HTTP port
sudo firewall-cmd --permanent --add-port=80/tcp
# Open HTTPS port
sudo firewall-cmd --permanent --add-port=443/tcp
# Reload to apply
sudo firewall-cmd --reload
3. Open a port temporarily (for testing)
# Survives until firewalld reload or reboot
sudo firewall-cmd --add-port=3000/tcp
4. Use predefined services instead of port numbers
# List available services
sudo firewall-cmd --get-services
# Add HTTP (opens port 80) and HTTPS (opens port 443)
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload
5. Open a port range
sudo firewall-cmd --permanent --add-port=6000-6100/tcp
sudo firewall-cmd --reload
6. List all open ports and services
sudo firewall-cmd --list-all
Expected output:
public (active)
target: default
interfaces: eth0
services: cockpit dhcpv6-client http https ssh
ports: 3000/tcp
7. Remove a port or service
sudo firewall-cmd --permanent --remove-port=3000/tcp
sudo firewall-cmd --permanent --remove-service=http
sudo firewall-cmd --reload
8. Check if a specific port is open
sudo firewall-cmd --query-port=80/tcp
sudo firewall-cmd --query-service=http
9. Add a port to a different zone
sudo firewall-cmd --permanent --zone=internal --add-port=5432/tcp
sudo firewall-cmd --reload
Common Causes
| Cause | Scenario | Fix |
|---|---|---|
| Port not opened | Service started but port not in firewall | firewall-cmd --add-port=80/tcp |
| Wrong zone | Port opened in a zone that's not active | Check with --get-active-zones |
Missing --permanent |
Port open until reload/reboot | Re-add with --permanent then --reload |
| SELinux also blocking | Port open but SELinux denies | Check ausearch -m avc for denials |
| Firewall not running | firewall-cmd says not running |
systemctl start firewalld |
| Protocol mismatch | Opened TCP but service uses UDP | Add UDP port: --add-port=53/udp |
Prevention
- Use services (
--add-service=http) instead of ports (--add-port=80/tcp) for well-known protocols — services survive port changes - Always use the
--permanentflag to make changes survive reboots - Always run
--reloadafter permanent changes - Restrict database ports to internal zones, not public
← Previous
How to Fix Firewall Blocking Application Traffic Error
Next →
How to Write Your First Bash Script (Hello World)
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro