TL;DR
Yes, CentOS 7’s firewalld may have open ports by default depending on the services installed and active. This guide shows you how to check which ports are currently open and how to manage them for better cyber security.
Checking Open Ports with Firewalld
- Understand Firewalld Zones: Firewalld uses zones to define trust levels for network connections. Common zones include ‘public’, ‘home’, ‘work’ and ‘trusted’. The active zone determines which ports are open.
- To find your active zone:
firewall-cmd --get-active-zones
- To find your active zone:
- List All Ports for the Active Zone: This shows you all ports currently allowed in your default zone.
- Use this command, replacing ‘public’ with your active zone if it’s different:
firewall-cmd --list-ports --zone=public
- Use this command, replacing ‘public’ with your active zone if it’s different:
- List All Services for the Active Zone: Firewalld often allows services instead of individual ports. This command shows which services are enabled.
- Again, replace ‘public’ with your active zone:
firewall-cmd --list-services --zone=public
- Again, replace ‘public’ with your active zone:
- Check Permanent vs. Runtime Configuration: Firewalld has a runtime configuration (changes are lost on reboot) and a permanent configuration.
- To see the permanent ports:
firewall-cmd --list-ports --zone=public --permanent - To see the permanent services:
firewall-cmd --list-services --zone=public --permanent
- To see the permanent ports:
- Check if a Specific Port is Open: You can directly query if a specific port is open.
- For example, to check if port 80 (HTTP) is open:
firewall-cmd --query-port=80/tcp --zone=public
- For example, to check if port 80 (HTTP) is open:
Managing Open Ports
- Opening a Port: If you need to allow access through a specific port.
- To open port 80 (HTTP) permanently:
firewall-cmd --permanent --zone=public --add-port=80/tcp - Reload firewalld to apply the changes:
firewall-cmd --reload
- To open port 80 (HTTP) permanently:
- Closing a Port: If you want to block access through a specific port.
- To close port 80 (HTTP) permanently:
firewall-cmd --permanent --zone=public --remove-port=80/tcp - Reload firewalld to apply the changes:
firewall-cmd --reload
- To close port 80 (HTTP) permanently:
- Opening a Service: If you need to allow access for a specific service.
- To open the ‘http’ service permanently:
firewall-cmd --permanent --zone=public --add-service=http - Reload firewalld to apply the changes:
firewall-cmd --reload
- To open the ‘http’ service permanently:
- Closing a Service: If you want to block access for a specific service.
- To close the ‘http’ service permanently:
firewall-cmd --permanent --zone=public --remove-service=http - Reload firewalld to apply the changes:
firewall-cmd --reload
- To close the ‘http’ service permanently: