Skip to content

How to Open Ports with firewalld on CentOS/RHEL

DodaTech 2 min read

In this tutorial, you'll learn about How to Open Ports with firewalld on CentOS/RHEL. We cover key concepts, practical examples, and best practices.

The Problem

You start a service (web server, database, custom app) on CentOS/RHEL/Fedora, but it's not reachable from other machines. By default, firewalld blocks all incoming ports except SSH. You need to open specific ports for your application to be accessible over the network.

Quick Fix

1. Check the current firewalld status and zones

sudo firewall-cmd --state
sudo firewall-cmd --get-active-zones

Expected output:

running
public
  interfaces: eth0

2. Open a port permanently

# Open HTTP port
sudo firewall-cmd --permanent --add-port=80/tcp

# Open HTTPS port
sudo firewall-cmd --permanent --add-port=443/tcp

# Reload to apply
sudo firewall-cmd --reload

3. Open a port temporarily (for testing)

# Survives until firewalld reload or reboot
sudo firewall-cmd --add-port=3000/tcp

4. Use predefined services instead of port numbers

# List available services
sudo firewall-cmd --get-services

# Add HTTP (opens port 80) and HTTPS (opens port 443)
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https
sudo firewall-cmd --reload

5. Open a port range

sudo firewall-cmd --permanent --add-port=6000-6100/tcp
sudo firewall-cmd --reload

6. List all open ports and services

sudo firewall-cmd --list-all

Expected output:

public (active)
  target: default
  interfaces: eth0
  services: cockpit dhcpv6-client http https ssh
  ports: 3000/tcp

7. Remove a port or service

sudo firewall-cmd --permanent --remove-port=3000/tcp
sudo firewall-cmd --permanent --remove-service=http
sudo firewall-cmd --reload

8. Check if a specific port is open

sudo firewall-cmd --query-port=80/tcp
sudo firewall-cmd --query-service=http

9. Add a port to a different zone

sudo firewall-cmd --permanent --zone=internal --add-port=5432/tcp
sudo firewall-cmd --reload

Common Causes

Cause Scenario Fix
Port not opened Service started but port not in firewall firewall-cmd --add-port=80/tcp
Wrong zone Port opened in a zone that's not active Check with --get-active-zones
Missing --permanent Port open until reload/reboot Re-add with --permanent then --reload
SELinux also blocking Port open but SELinux denies Check ausearch -m avc for denials
Firewall not running firewall-cmd says not running systemctl start firewalld
Protocol mismatch Opened TCP but service uses UDP Add UDP port: --add-port=53/udp

Prevention

  • Use services (--add-service=http) instead of ports (--add-port=80/tcp) for well-known protocols — services survive port changes
  • Always use the --permanent flag to make changes survive reboots
  • Always run --reload after permanent changes
  • Restrict database ports to internal zones, not public

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro