11

I have configured sshd to live on a different port. I have opened that port using firewalld:

$ sudo firewall-cmd --zone=public --add-port=22000/tcp --permanent

Listing rules shows port 22000 is open:

$ sudo firewall-cmd --permanent --zone=public --list-all
public (default)
  interfaces:
  sources:
  services: dhcpv6-client ssh
  ports: 22000/tcp 
  masquerade: no
  forward-ports: 
  icmp-blocks:
  rich rules:

However I cannot log in from a remote host to port 22000. If I use iptables, it works:

$ sudo iptables -I INPUT -p tcp --dport 22000 -j ACCEPT

I can now log in. But how can I open the port with Firewalld?

Edit: As requested:

 $ sudo firewall-cmd --get-default-zone
 public

And:

 $ firewall-cmd --get-active-zones
 public
  interfaces: eth0 eth1
mikemaccana
  • 492
  • 5
  • 20
  • 2
    Your `public` zone is not assigned to any interface and therefore it is not effective, afaik. What is the output of `sudo firewall-cmd --get-default-zone`? – Jakuje Jun 15 '16 at 13:32
  • Thanks @Jakuje! Output is `public`. – mikemaccana Jun 15 '16 at 13:47
  • 1
    Maybe more useful would be `firewall-cmd --get-active-zones` with explanation which is the network interface you are talking about. – Jakuje Jun 15 '16 at 13:49
  • That looks like in some non-consistent state .. however when you start playing with both `iptables` and `firewalld`, it usually stops to work. That is probably all I can say about this. – Jakuje Jun 15 '16 at 14:11
  • @mikemaccana Do you have both `firewalld` and `iptables` running at the same time ? Is firewall working at all ? Try removing `iptables` & `iptables-service`, reload `firewalld` and see – clhy Jun 15 '16 at 14:36
  • @Jakuje It was broken *before* I added the iptables rule, not afterwards. Deleting the iptables rule makes the port inaccessible again. – mikemaccana Jun 15 '16 at 14:55
  • @pun 'Try removing iptables & iptables-service' - do you mean the module, the package, or something else? – mikemaccana Jun 15 '16 at 14:58
  • @mikemaccana Yes I meant to remove the package iptables and iptables-service – clhy Jun 15 '16 at 15:04
  • @pun package iptables-service isn't installed. package iptables is required by firewalld. – mikemaccana Jun 15 '16 at 15:26

1 Answers1

9

See the firewalld docs:

The permanent option --permanent can be used to set options permanently. These changes are not effective immediately, only after service restart/reload or system reboot. Without the --permanent option, a change will only be part of the runtime configuration.

When using --permanent option, you should reload configuration by firewall-cmd --reload
This is because --permanent option writes changes to saved configuration, not into running config.

mikemaccana
  • 492
  • 5
  • 20
Sergei B.
  • 106
  • 1
  • 2
  • Thanks! Could you add a link to the relevant docs? – mikemaccana Jun 13 '17 at 12:14
  • Sure. http://www.firewalld.org/documentation/man-pages/firewall-cmd `The permanent option --permanent can be used to set options permanently. These changes are not effective immediately, only after service restart/reload or system reboot. Without the --permanent option, a change will only be part of the runtime configuration.` – Sergei B. Jun 14 '17 at 06:20