Using CentOS 7, I am trying to use firewall-cmd --zone=public --add-port=443/tcp --permanent to add 443 to my allowed ports. Unfortunately this throws error ALREADY_ENABLED: 443:tcp. But when I use firewall-cmd --list-ports it does not show in the list ("80/tcp 3000/tcp 26900/tcp 26900/udp").

I suppose the issue is caused with a conflict between firewall-cmd and iptables. But I have no idea how to debug this and if this might even be possible.

Calling firewall-cmd --list-all results in the following list:

  target: default
  icmp-block-inversion: no
  services: ssh dhcpv6-client
  ports: 80/tcp 3000/tcp 26900/tcp 26900/udp
  masquerade: no
  rich rules:
Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • 153
  • 1
  • 6

1 Answers1


The command you say you ran affects the permanent configuration, not the running configuration. But you are listing the running configuration. That is why you don't see them.

You may list the permanent configuration to confirm that the rule has been added successfully.

firewall-cmd --list-all --permanent

You may add the rule to the running configuration instead:

firewall-cmd --zone=public --add-port=443/tcp

Or you may reload the running configuration from the permanent configuration:

firewall-cmd --reload

Also remember that firewalld has defined services for common ports, so it's not usually necessary to open them by number. For example, instead of opening ports 80/tcp and 443/tcp you could instead say:

firewall-cmd --zone=public --add-service=http
firewall-cmd --zone=public --add-service=https

Finally, when possible, it's better to change rules in the running configuration, verify that they are working, and then save the configuration, rather than the reverse. This allows you a way to revert if something goes wrong and you accidentally lock yourself out of the system.

You can save the running configuration to the permanent configuration by running:

firewall-cmd --runtime-to-permanent

(But some operations only work on the permanent configuration, such as creating new zones. For these you must use --permanent and then immediately --reload the firewall.)

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • `firewall-cmd --reload` or `firewall-cmd --complete-reload` resolved my similar issue. Also, without specifying a zone, `firewall-cmd` shows the status on `trust` zone by default. If you poke a hole in public zone, you would need to explicitly specify the zone, e.g. `firewall-cmd --list-all --permanent --zone=public` – Devy Dec 03 '19 at 19:55