4

I've been using iptables for a long time, but have never used firewalld until recently. I have enabled port 3000 TCP via firewalld with the following command:

# firewall-cmd --zone=public --add-port=3000/tcp --permanent

However I can't access the server on port 3000. From an external box: 

telnet 178.62.16.244 3000
Trying 178.62.16.244...
telnet: connect to address 178.62.16.244: Connection refused

There are no routing issues: I have a separate rule for a port forward from port 80 to port 8000 which works fine externally. My app is definitely listening on the port too:

Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name
tcp        0      0 0.0.0.0:3000            0.0.0.0:*               LISTEN      99         36797      18662/node

firewall-cmd doesn't seem to show the port either - see how ports is empty. You can see the forward rule I mentioned earlier. 

# firewall-cmd --list-all
public (default, active)
  interfaces: eth0
  sources:
  services: dhcpv6-client ssh
  ports:
  masquerade: no
  forward-ports: port=80:proto=tcp:toport=8000:toaddr=
  icmp-blocks:
  rich rules:

However I can see the rule in the XML config file:

# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="dhcpv6-client"/>
  <service name="ssh"/>
  <port protocol="tcp" port="3000"/>
  <forward-port to-port="8000" protocol="tcp" port="80"/>
</zone>

What else do I need to do to allow access to my app on port 3000?

Also: is adding access via a port the correct thing to do? Or should I make a firewalld 'service' for my app instead?

mikemaccana
  • 3,070
  • 5
  • 24
  • 29

4 Answers4

12

Using the --permanent flag writes your changes to the persistent configuration, but not the running configuration. Run the same command again without the --permanent flag to have it take effect immediately.

Beginning with RHEL 7.1 and current versions of Fedora, you can also copy the running configuration to the permanent configuration with:

firewall-cmd --runtime-to-permanent
Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • I think if you use the GUI version, there is an option to copy running configuration to permanent. – xcorat Jul 31 '15 at 19:55
5

Weirdly, the rule only seemed to be written out to the config file, and not applied immediately. I had to reload the firewall: 

firewall-cmd --reload

After this, the rule then showed up:

# firewall-cmd --zone=public --list-all
public (default, active)
  interfaces: eth0
  sources:
  services: dhcpv6-client ssh
  ports: 3000/tcp
  masquerade: no
  forward-ports: port=80:proto=tcp:toport=8000:toaddr=
  icmp-blocks:
  rich rules:

The port is now accessible.

mikemaccana
  • 3,070
  • 5
  • 24
  • 29
0

Leaving this note as my issue was not resolved till I restarted the systemctl with

sudo systemctl restart firewalld

I had tried all the above stuff. Rebooted the vm. I even set the rules in VNIC. But it was resolved only after restarting the service.

Environment: Oracle Cloud Network VM: Compute Instance (Developer with Oracle Linux 8)

Sammeer S Raawat
  • 1
  • 1
-3

a restart is required to apply the changes you made

James
  • 15
  • 3