[CentOS] firewalld and LISTEN

Sun Jul 30 16:25:13 UTC 2017
Alexander Dalloz <ad+lists at uni-x.org>

Am 30.07.2017 um 07:06 schrieb 望月忠雄:
> Please teach me one more.
> By 'firewall-cmd --list' its answer is following.
> external (active)
>    target: default
>    icmp-block-inversion: no
>    interfaces: eth0
>    sources:
>    services: dns ftp http https imaps pop3s smtp ssh
>    ports: 110/tcp 21/tcp 20000/tcp 106/tcp 53/tcp 990/tcp 5432/tcp 8447/tcp
> 113/tcp 143/tcp 3306/tcp 5224/tcp 22/tcp 465/tcp 995/tcp 25/tcp 10000/tcp
> 8443/tcp 993/tcp 443/tcp 8880/tcp 587/tcp 20/tcp 53/udp 12768/tcp
>    protocols:
>    masquerade: yes
>    forward-ports:
>    sourceports:
>    icmp-blocks:
>    rich rules:
> Now I can use http normally.
> And 'ss -nat' shows 80 ports used.
> But in avobe firewalld lists, there's  http service, but isn't 80/tcp.port.
> Must I add 80/tcp.port?
> Tadao


you can define rule either by using services or ports. You have partly 
doubled that config by using both a service definition and a port 
definition. For instance service ssh and port 22/tcp. Same for smtp and 
port 25.

You find the list of pre-defined services under 

To give you an example. You can define

# firewall-cmd --permanent --zone=public --add-service=http

which enables port 80/tcp for the public zone. You can check how the 
service is defined by

# firewall-cmd --info-service=http

You could achieve the same port opening by issuing

firewall-cmd --zone=public --add-port=80/tcp

More or less a matter of taste how to define things. But you better 
avoid causing doubled rules.

See your "iptables -L -n -v --line" output and you'll find multiple 
rules defined 2 times.