23

Had a port opened up to for public use using firewall-cmd, I wanted to limit this port to a specific IP which I found the answer for on this SITE.

I used the following to open it:

$ firewall-cmd --permanent --zone=public --add-port=10050/tcp
$ firewall-cmd --reload

Now using the information from the information I found I wanted to restrict access to this port to a specific IP address. Do I need to first remove this port from public access?

Or Can I just just add the new rule as follows and that will take care of the problem for me?

$ firewall-cmd --new-zone=special
$ firewall-cmd --permanent --zone=special --add-rich-rule='
  rule family="ipv4"
  source address=”123.1.1.1"
  port protocol="tcp" port="10050" accept'

I have tried the following:

$ firewall-cmd --zone=public --remove-port=10050/tcp
$ firewall-cmd --reload

But when I run the following:

$ firewall-cmd --list-ports

10050/tcp is still displayed.

Please understand I'm not overly familiar with Sever side configurations.

Soultion: Do not forget the --runtime-to-permanent

$ firewall-cmd --zone=public --remove-port=10050/tcp
$ firewall-cmd --runtime-to-permanent
$ firewall-cmd --reload
Community
  • 1
mcv
  • 885
  • 2
  • 9
  • 17
  • Ah I forgot the **--permanent** – mcv Dec 06 '16 at 13:11
  • 1
    You should post this as an answer (and accept it). It is perfectly acceptable to accept your own answers, this way the question is marked as solved. – Gerald Schneider Dec 06 '16 at 13:18
  • 1
    It's better to _not_ use `--permanent`, in case you make a mistake with a firewall rule. If you used `--permanent` and locked yourself out, you will find it quite difficult to get back in, since you have no way to recover. Instead, don't use `--permanent`, and when you are happy with the rules, use `firewall-cmd --runtime-to-permanent` to commit the rules. If you get locked out, reloading the firewall or rebooting will go back. – Michael Hampton Dec 07 '16 at 01:56
  • So can this `firewall-cmd --runtime-to-permanent` is applied after the `firewall-cmd --reload` or does it replace it entirely? I am going to definitely try this. – mcv Dec 07 '16 at 17:04

5 Answers5

44

Solution: Do not forget the --runtime-to-permanent

$ firewall-cmd --zone=public --remove-port=10050/tcp
$ firewall-cmd --runtime-to-permanent 
$ firewall-cmd --reload
mcv
  • 885
  • 2
  • 9
  • 17
11
# firewall-cmd --zone=public --remove-port=12345/tcp --permanent
# firewall-cmd --reload

Replace 12345 with the port you want to remove.

Zing Lee
  • 211
  • 2
  • 4
  • 1
    I read somewhere that in Fedora doc, it suggests to put `--permanent` as the first option. But yes, `--permanent` is the key. – WesternGun Dec 14 '17 at 15:12
  • I usually keep it as the last option to ensure that if the rule is incorrect for whatever reason, I can simply reboot without making the rule permanent. If it does what I want, I can up-arrow and add `--permanent` to the end. – Justin E Feb 10 '18 at 02:04
3

Follow these steps, you will be fine:

  1. $ firewall-cmd --zone=public --remove-port=10050/tcp
  2. $ firewall-cmd --runtime-to-permanent
  3. $ firewall-cmd --reload
  4. $ systemctl restart firewalld
  5. $ firewall-cmd --zone=public --list-ports
Dan Howel
  • 31
  • 3
  • I don't think you need to restart firewalld, `firewalld` was actually designed to avoid restarting all the services every time you change a configuration. – vdegenne Apr 25 '18 at 23:08
  • actually for me only restart helped. – Boris Ivanov Jun 08 '20 at 18:39
  • For me firewall-cmd --zone=public --remove-port=1883/tcp --permanent followed by a rfirewall-cmd --reload was the effective sequence – djna Jul 19 '20 at 10:00
2

Please Running these step

  1. firewall-cmd --permanent --remove-service=telnet
  2. firewall-cmd --reload
  3. systemctl restart firewalld.service
  4. firewall-cmd --list-all
  5. iptables -nvL

your iptables firewalld willbe not showed service telnet

Regards

Iki Arif
  • 21
  • 1
1

All those answers were wrong on my fedora server. My solution was:

firewall-cmd --remove-port=8081/tcp --permanent
firewall-cmd --reload
firewall-cmd --list-all

Please note that the command firewall-cmd --permanent --remove-port=8081/tcp was throwing an error "firewall-cmd: error: unrecognized arguments: –-remove-port=8081/tcp".

Den
  • 11
  • 1