In the previous version of Ask Fedora, I asked how I could open a TCP port using firewall-config, that forum is now gone and I forgot how to do it.
Can someone provide all the steps again?, thanks in advance!.
Hello delacosta78,
If you want to open up a TCP port first open the terminal, now that itâs open say for example if you wanted to open port 8080 just as an example you would type in firewall-cmd --zone=dmz --add-port=8080/tcp
to get a list of active ports that are open just type in firewall-cmd --zone=dmz --list-ports
I believe you have to do this with sudo privilages.
I hope this helps.
1 Like
Hi @donaldsmouse! Welcome to the ask.fedora community! Please do take a few minutes to go over the introductory posts in #start-here when you have the time. They contain lots of useful information.
@delacosta78, to expand a bit on @donaldsmouseâs anwser, hereâs a useful link to Fedora quickdocs on the matter.
In addition to info on opening the port it also contains other useful tips and info about firewalld.
GUI firewalld manager
One other tip for better understanding firewalld is using GUI application. It can be installed with
sudo dnf install firewall-config
but I think itâs installed by default. Start typing âfirewallâ in gnomeâs launcher to find it.
Itâs very useful to see in GUI which services firewalld knows about by default, which ports are associated with these services, which connections belong to which zones and such. It also allows changing configuration too (and opening ports).
Firewalld services
Also keep in mind that the easiest way to manage open/closed ports in firewalld is with the use of services. By default it knows quite a few (with default ports associated with the services).
So if you want to temporarily allow access to a webserver, for example, on your machine, you can use the following command:
sudo firewall-cmd --add-service http
This way itâs easy to understand, what you have opened access to, not just some random numbers.
The difference between temporary vs. permanent configuration changes is in the quickdoc Iâve linked to.
Adding your own services
I also want to share my way of managing FirewallD ports/services. While direct way @donaldsmouse provided is totally ok to open a couple of ports, especially for short-term use, I donât like it very much as a permanent solution. When you have quite a number of them, it could de difficult to remember, which port you need for what exactly. Or when you need to open the port only sometimes.
So I use a method a bit more involved, but easier to manage in the long-term. I add my own service definitions to firewalld.
Itâs easy to do. Service definitions are small xml files easy to read and change with any text editor.
Letâs say for example I want to allow sshd access to my machine, but to change the port from default 22 to something harder to guess.
I usually copy some of default service.xml file as a template for my own, and rename it to something unique.
sudo cp -v /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/my-ssh.xml
Then I change anything I want in a new file â protocol and port to the one I need, description to remember what itâs for or why I do it this way, etc.
For firewalld to see new files/services or changes to the existing files we need
sudo firewall-cmd --complete-reload
and then we can allow our new service (i.e. open a new port):
sudo firewall-cmd --add-service=my-sshd --zone=my-zone
sudo firewall-cmd --runtime-to-permanent
Itâs then easy to manage (open/close) ports I need by service name, not port numbers. Also one service can have a number of ports associated with it, and I donât have to remember the numbers.
And if I need to transfer my custom service definitions to another computer I just copy the files I need)
5 Likes
Hi @delacosta78,
the old ask forum is not completely gone. So I you want to search something there and donât have to the time to wait for an answer here, you can go to https://askbot.fedoraproject.org and locate the Q/A there. Since the search function on the old askbot isnât really good, you can also use a meta search.
I just realised there was a quick-doc about this:
Would you perhaps review it and improve it? We could link to it directly in the future.
1 Like
Yep, Iâve given a link to it in my reply.
I can try I think, but Iâll need an editor 
I tend to go into too much detail. Time is also a bit of a problem to me. Giving a few tips here (even with too much detail) is one thing, writing clear documentation is another level entirely
1 Like
Sure, the quick doc already looks quite complete. If you could verify the info there, we can remove the âunreviewedâ warning that it has on the top of the page. Lots of folks on the docs team there to help/review, so no need to worry about that bit
2 Likes
Hello and thank you for your reply, however I donât want to open a demilitarized zone, I didnât need to do that before, just to open the port I needed.
Hello @florian, thank you for your suggestion, I found the one I created there and Iâm going to paste the instructions here, thatâs what I was looking for!:
A bit more details would be helpful (used Fedora version, your networking setup). Assuming youâre on a recent version, i.e. having firewalld and firewall-config , and that itâs the firewall on your machine thatâs the culprit (rather than some other router), try this:
- Open
firewall-config(thatâs âFirewallâ in the desktop menus I believe). - Type in the requested password (your own or that of the
rootuser, depending on if your user is configured as an administrator or not). - Select
Permanentfrom theConfigurationdrop-down. - Go to the
Servicestab, select thetransmission-clientservice. - Click on
Add, add65432as the port, leavetcpas the protocol and clickOK. - Here it may again ask for the password.
- In
ZonesâServicesenable thetransmission-clientservice for your network zone (the default zone is shown in the lower right of the window). OptionsâReload firewalldto make the changes effective.
2 Likes
What I didnât specified however is that I needed to open a port for Transmission, so I clarify that.
with the cli commands opening default port for the Transmission client would be:
sudo firewall-cmd --add-service=transmission-client
sudo firewall-cmd --runtime-to-permanent
Also please note that with default Fedora configuration (with firewalld zone called âFedoraWorkstationâ used) â all ports higher than 1026 are open. Meaning that transmission ports are open too by default.
2 Likes
Hello and thank you for your contribution.
Do you mean I donât have to follow the steps I posted earlier?
Well, this part:
â means exactly that â you donât have to follow the steps youâve posted. IF you havenât changed default firewalld configuration.
One more note: open ports for transmission are needed so that other clients from the Internet could connect to your client â so that then can receive parts of the downloads that you already have and they donât.
But such connections (incoming connections) could also be blocked by your Internet provider and/or your home router. So open ports on your computer doesnât guarantee that other client can connect to yours.
And transmission will work even if nobody able to connect to you, itâll be just a bit slower to start new downloads, as all the connections would have to be made by your client, not by other clients in the network.
And this part:
â does the same as the steps youâve posted, but in cli, not in GUI program.
With one exception: author adds port 65432 to be open in addition to default transmission one (which is 51413), but I couldnât find any reference to transmission using this port, and he doesnât explain why he does it.
1 Like
I seeâŚ
I knowâŚ
Yes, I knowâŚ
RightâŚ
Ohhh!, cool!..
Thatâs just a random port Iâve been using for a long time, it worked when I was on Windows, it should work on Fedora as well, right?
@delacosta78, sorry to bother you with unnecessary details then )
It totally would work, I do use transmission with non-standart port as well.
1 Like
You donât need to apologize, you had to clarify the concepts.
If I want to open a port for another application, such as Emby, should I replace the word transmission, like this?:
sudo firewall-cmd --add-service=emby
sudo firewall-cmd --runtime-to-permanent
No, you can use only those names/services firewalld knows about. The list is quite large (about 150 services by default), but Emby isnât among them.
You can get the list of all services firewald knows about with
sudo firewall-cmd --get-services
The list you get is not very easy to read though
It may be more convenient to page trough all the services in GUI (with firewall-config weâve talked about already in this thread).
As Iâve written in my first reply, new services are very easy to add to this list â using GUI, by adding/editing xml files or using cli commands.
@nightromantic, then I have to repeat the steps in post # 9, right?:
@delacosta78, as you want to add new service, not to change one that was already there, youâll need to change several steps from post #9 accordingly:
-
Here weâll add a new service by pressing plus button under the service names list.
-
Fill in new service name, for example
my-emby. I like to prefix services names I add with "my- " so that I can easily find them in the future. Click ok to close the window. -
Now select newly created service name in the
Servicestab. -
Click on
Add, add port numbers and protocol (tcp/udp) required. One service can have several different ports open, and also can have port ranges open, i.e. 8080-8090.
Something like this
I stumbled upon this thread while trying to open the port for transmission to operate in active mode.
Besides the possible firewall modification (on a fresh F32 install all ports are open by default), port forwarding (in case you are behind a router), transmission has a bug in its port checking mechanism.
On F32, transmission v3.0 is affected.
If you confirm that your port is indeed open on a site like canyouseeme.org then append this line to the /etc/hosts file:
87.98.162.88 portcheck.transmissionbt.com
This forces transmission to use IPv4. More details on the github issue page.