Linux FirewallD Rules

#1

The task was to open port 6000 on firewalld

My Proposed Solution:

firewall-cmd --zone=public --add-rich-rule='rule family=ipv4 port port="6000" protocol=tcp accept'
firewall-cmd --zone=public --add-rich-rule='rule family=ipv4 port port="6000" protocol=tcp accept' --permanent

Result:

[root@stbkp01 ~]# firewall-cmd --zone=public --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" port port="6000" protocol="tcp" accept

However the task was marked as failed. Now, on the one hand I can see why, but it looks like you are not correctly checking that port 6000 tcp is open, but rather checking only a specific portion of firewalld config, as there are many ways to achieve this, and I beleive this is successful, though for future labs I will add port 6000/tcp to “Ports” instead of adding a rich rule, however I still beleive this should be marked as successful.

Kind Regards
Richard A. Forth

#2

For the record, my alternative method would be

firewall-cmd --zone=public --permanent --add-port=6000/tcp
firewall-cmd --zone=public --permanent --add-port=6000/tcp --permanent

However I believe both achieve the same result, I would recommend having an app that listens on port 6000 and checking that 6000/tcp is open as that would catch both methods, or even a third method of creating a custom service to open 6000/tcp in /usr/lib/firewalld/services - all of which are valid ways to open port 6000/tcp on the firewalld setup.

#3

@urbansumo

Thanks for reporting this. You are right. Your answer has been marked as Success. There was a minor issue with validation which is fixed now.

#4

Many Thanks :slight_smile:

:smiling_face_with_three_hearts: