firewalld is the default firewall program that comes pre-installed on Red Hat Enterprise Linux and its derivative Linux distributions, such as AlmaLinux.
By default, the firewall is turned on, meaning that a very limited number of services are able to receive incoming traffic. This is a nice security feature, but it means that the user must be knowledgeable enough to configure the firewall whenever they install a new service on the system, like HTTPD or SSH for example. Otherwise, connections from the internet can’t reach these services.
Rather than disabling the firewall on AlmaLinux entirely, we can allow certain ports through the firewall, which lets incoming connections reach our services. In this guide, we’ll see how to allow a port through the firewall on AlmaLinux. Feel free to follow along whether you’ve freshly installed AlmaLinux or migrated from CentOS to AlmaLinux.
In this tutorial you will learn:
- How to allow a port or service through the firewall on AlmaLinux
- How to reload the firewall for changes to take effect
- How to check what ports and services are open in the firewall
- How to close a port after having it configured as open
- Command examples for allowing the most common ports through firewall
Category | Requirements, Conventions or Software Version Used |
---|---|
System | AlmaLinux |
Software | firewalld |
Other | Privileged access to your Linux system as root or via the sudo command. |
Conventions |
# – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command$ – requires given linux commands to be executed as a regular non-privileged user |
How to allow a port through firewall on AlmaLinux
Follow the step by step instructions below to allow ports or services through firewalld on AlmaLinux. You’ll also see how to check the open ports that firewalld has configured.
- When checking for open firewall ports on RHEL 8 / CentOS 8 Linux it is important to know that firewall ports can be opened in two main different ways. Firstly, the firewall port can be opened as part of a pre-configured service. Take this example where we open the port for
HTTP
to thepublic
zone.# firewall-cmd --zone=public --add-service=http --permanent
Of course, adding the HTTP service to firewalld is the equivalent of opening port
80
. - Secondly, the ports can be open directly as custom user predefined ports. Take this example where we open port
8080
.# firewall-cmd --zone=public --add-port 8080/tcp --permanent
Since 8080 doesn’t have an associated service, it’s necessary for us to specify the port number rather than a service name if we want to open this port.
- To check which service ports are open, execute the following command.
# firewall-cmd --zone=public --list-services cockpit dhcpv6-client http https ssh
The above services (cockpit, DHCP, HTTP, HTTPS, and SSH) have their relevant port numbers open.
- To check which port numbers are open, use this command.
# firewall-cmd --zone=public --list-ports 20/tcp 8080/tcp
The above ports,
20
and8080
, are open to incoming traffic. - After you’ve allowed your ports and services through the firewall, we’ll need to reload firewalld for the changes to take effect. All rules with the
--permanent
option will now become part of the runtime configuration. Rules without this option will be discarded.# firewall-cmd --reload
- We can also see a list of all open services and ports by using the
--list-all
option.# firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: ens160 sources: services: cockpit dhcpv6-client http ssh ports: 443/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
- Note that firewalld works with zones. Depending on which zone your network interface(s) is using, you may need to add your allowed port to that particular zone. The first step above shows how to add a rule to the “public” zone. To see the rules for that zone specifically, continue using the
--zone=
syntax.# firewall-cmd --list-all --zone=public public (active) target: default icmp-block-inversion: no interfaces: ens160 sources: services: cockpit dhcpv6-client http ssh ports: 443/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
- In case you need to close one of the previously configured open ports, you can use the following command syntax. In this example, we close the port for HTTPS.
# firewall-cmd --zone=public --permanent --remove-service=https
That’s all there is to it. To learn more about firewalld and the firewall-cmd
Linux command, check out our dedicated guide on introduction to firewalld and firewall-cmd.
Common Port Examples
Use the commands below as an easy reference guide to allow some of the most common services through the firewall on AlmaLinux.
- Allow HTTP through firewall.
# firewall-cmd --zone=public --add-service=http --permanent
- Allow HTTPS through firewall.
# firewall-cmd --zone=public --add-service=https --permanent
- Allow MySQL through firewall.
# firewall-cmd --zone=public --add-service=mysql --permanent
- Allow SSH through firewall.
# firewall-cmd --zone=public --add-service=ssh --permanent
- Allow DNS through firewall.
# firewall-cmd --zone=public --add-service=dns --permanent
- Allow PostgreSQL through firewall.
# firewall-cmd --zone=public --add-service=postgresql --permanent
- Allow telnet through firewall.
# firewall-cmd --zone=public --add-service=telnet --permanent
Closing Thoughts
In this guide, we saw how to allow a port or service through the firewall on AlmaLinux. This involved using the firewall-cmd command associated with firewalld, which makes the process easy once we know the correct syntax to use. We also saw multiple examples for allowing many of the most common services through the firewall. Remember to pay special attention to what zone you apply your new rules to.