@Pete-S said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:

One thing that would be nice to have, something that I've used on hardware firewalls, is a command that will simulate packets through the firewall rules to see if they will pass or not.
I've not seen something like that for iptables/netfilter.

Not sure about simulating, but you can always send packets at it and use iptables -v to see the counters.

@IRJ said in Documenting Firewall Exceptions and Rules:

@DustinB3403 said in Documenting Firewall Exceptions and Rules:

I had to add some rules to a CentOS 8 server because some things stopped working that were previously working. (Not sure why this worked before, but it did)

Adding a few rich rules resolved the issue immediately.

None of this makes any sense. It's deny all and permit by exception. Why would you do anything else?

That's the default, and that's what was working just fine for a long time. Suddenly it began "not working" and needed the exceptions made.

@dustinb3403 said in CentOS 7.5 not listing ports when added to firewall-cmd:

@jaredbusch Look at the OP, i have telnet listening to those ports.

Ahh, didn't scroll enough.

@dustinb3403 said in CentOS 7 Telnet Port Change:

Cockpit isn't included in CentOS 7 by default (is it?. . . .)

Not with a minimal install. With the problem you are having, I was assuming the issue was with port 9090.

@dustinb3403 ok got it, weird one

@stacksofplates said in Open Firewall Ports on CentOS 7 and RHEL 7:

@coliver said in Open Firewall Ports on CentOS 7 and RHEL 7:

@stacksofplates said in Open Firewall Ports on CentOS 7 and RHEL 7:

@coliver said in Open Firewall Ports on CentOS 7 and RHEL 7:

@scottalanmiller said in Open Firewall Ports on CentOS 7 and RHEL 7:

@coliver said in Open Firewall Ports on CentOS 7 and RHEL 7:

Did anyone ever figure out if there was a way to setup files for firewalld? Or was the XML service files the way to go?

XML I think.

That's what I was afraid of. We're using IPTables on all of our OEL7 servers right now but I think moving to the default firewalld may be a good idea. I'll have to look into the XML config and see how much more difficult, if at all, it is over the IPTables file. It's a shame we can't just copy a single file around anymore but the XML files probably won't be too much more difficult.

Ya it's not bad at all. Here's the config from my Identity Management server. It's pretty similar to /etc/sysconfig/system-config-firewall on RHEL 6, just in zone specific XML files.

<zone> <short>Public</short> <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="http"/> <service name="https"/> <service name="ntp"/> <service name="dhcpv6-client"/> <service name="kerberos"/> <service name="ldaps"/> <service name="ssh"/> <service name="dns"/> <service name="ldap"/> </zone>

Those services are predefined right? You can also build your own services via the same process.

Ya and you can define specific ports. I prob could have grabbed a better example.

No, I think I've got it just need to investigate actually setting these up.

@scottalanmiller said:

@JaredBusch said:

@scottalanmiller said:

@JaredBusch said:

@scottalanmiller said:

@JaredBusch said:

While I have never made a how to with a port range, the basic firewalld syntax is used all over the place on this forum by me and every system that I have ever seen that accepts a port range does so with the range hyphenated from lower boundary to upper boundary.

I would have thought that this was a colon, though, not a hyphen.

I have never seen it commonly used with a colon to represent a range

Native IPTables. 🙂

I rarely work with native IPTables. That would explain a difference in point of view.

Yeah, and for me I pretty much have done raw edits on /etc/sysconfig/iptables and never used external tools. Now with FirewallD I'm relearning the syntax for everything on Linux firewalls.

Well, at least I'm not the only one then. Learning how to use firewall-cmd still feels a bit odd.