There may be a case when you need to add or remove ports when the firewall is disabled. In such cases “firewall-offline-cmd” can be used as it is an offline command-line client of the firewall daemon. A port can be added or removed through firewall-offline-cmd in case the firewall is not active.
Comment: Please make sure to use firewall-offline-cmd command to add or remove ports only when firewall is disabled.
Verify Firewall Sattu
Before proceeding, make sure that the firewall status is Offline (Dead).
# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: inactive (dead) Docs: man:firewalld(1)
As per the above output the firewall status is inactive (dead).
Adding port to default zone
1. The syntax to add a port with firewall-offline-cmd is:
# firewall-offline-cmd --port=[port]:tcp
2. Now try adding port 9988:
# firewall-offline-cmd --add-port=9988:tcp Adding port '9988/tcp' to default zone. success
By default when you do not provide a zone name, the “Default” zone is used to add ports.
3. To verify port addition:
# firewall-offline-cmd --list-all public target: default icmp-block-inversion: no interfaces: sources: services: ssh dhcpv6-client ports: 9988/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
Adding a port to a specific area
1. The syntax to add a port to a specific region is:
# firewall-offline-cmd --zone=[zone-name] --add-port=[port]:tcp
2. Add port 9988 to the “myzone” field, for example:
# firewall-offline-cmd --zone=myzone --add-port=9988/tcp success
Here port 9988/tcp has been added to the “myzone” zone.
3. To verify port addition:
# firewall-offline-cmd --zone=myzone --list-all myzone target: ACCEPT icmp-block-inversion: no interfaces: sources: services: ports: 9988/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
remove port
1. To remove a port from the default zone:
# firewall-offline-cmd --remove-port=[port]/tcp
2. To remove it from a specific area:
# firewall-offline-cmd --zone=--remove-port=[port]/tcp
3. To verify port removal, use the commands below:
For default area:
# firewall-offline-cmd --list-all
For a specific zone (myzone):
# firewall-offline-cmd --zone=myzone --list-all
To learn more about the firewall-offline-cmd command, see its man page:
$ man firewall-offline-cmd