Each service file contains a list of ports that need to be opened for a particular service. Optionally, the service files may contain one or more destination addresses, or call in any needed modules, such as for connection tracking. For some services, all you need to do is open just one port. Other services, such as the Samba service, require that multiple ports be opened. Either way, it's sometimes handier to remember the service name that goes with each service, rather than the port numbers.
The services files are in the /usr/lib/firewalld/services directory. You can look at them by using the firewall-cmd command, just as you could with the list of zones:
[donnie@localhost ~]$ sudo firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
[donnie@localhost ~]$
Before we add any more services, let's check which ones are already enabled:
[donnie@localhost ~]$ sudo firewall-cmd --list-services
[sudo] password for donnie:
ssh dhcpv6-client
[donnie@localhost ~]$
Here, ssh and dhcpv6-client are all we have.
The dropbox-lansync service would be very handy for us Dropbox users. Let's see which ports this opens:
[donnie@localhost ~]$ sudo firewall-cmd --info-service=dropbox-lansync
[sudo] password for donnie:
dropbox-lansync
ports: 17500/udp 17500/tcp
protocols:
source-ports:
modules:
destination:
[donnie@localhost ~]$
It looks like Dropbox uses port 17500 on UDP and TCP.
Now, let's say that we have our web server set up in the DMZ, with the dmz zone set as its default:
[donnie@localhost ~]$ sudo firewall-cmd --info-zone=dmz
dmz (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[donnie@localhost ~]$
As we saw previously, the Secure Shell port is the only one that's open. Let's fix that so that users can actually access our website:
[donnie@localhost ~]$ sudo firewall-cmd --add-service=http
success
[donnie@localhost ~]$
When we look at the information for the dmz zone once more, we'll see the following:
[donnie@localhost ~]$ sudo firewall-cmd --info-zone=dmz
dmz (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: ssh http
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[donnie@localhost ~]$
Here, we can see that the http service is now allowed through. But look what happens when we add the --permanent option to this info command:
[donnie@localhost ~]$ sudo firewall-cmd --permanent --info-zone=dmz
dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[donnie@localhost ~]$
Oops! The http service isn't here. What's going on?
For pretty much every command-line alteration of either zones or services, you need to add the --permanent option to make the change persistent across reboots. But without the --permanent option, the change takes effect immediately. With the --permanent option, you'll have to reload the firewall configuration for the change to take effect. To demonstrate this, I'm going to reboot the virtual machine to get rid of the http service.
Okay; I've rebooted, and the http service is now gone:
[donnie@localhost ~]$ sudo firewall-cmd --info-zone=dmz
dmz (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[donnie@localhost ~]$
This time, I'll add two services with just one command and specify that the change will be permanent:
[donnie@localhost ~]$ sudo firewall-cmd --permanent --add-service={http,https}
[sudo] password for donnie:
success
[donnie@localhost ~]$
You can add as many services as you need to with a single command, but you have to separate them with commas and enclose the whole list within a pair of curly brackets. Also, unlike what we just saw with nftables, we can't have blank spaces within the curly brackets. Let's look at the results:
[donnie@localhost ~]$ sudo firewall-cmd --info-zone=dmz
dmz (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[donnie@localhost ~]$
Since we decided to make this configuration permanent, it hasn't taken effect yet. However, if we add the --permanent option to the --info-zone command, we'll see that the configuration files have indeed been changed:
[donnie@localhost ~]$ sudo firewall-cmd --permanent --info-zone=dmz
dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh http https
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[donnie@localhost ~]$
Now, we need to reload the configuration so that it will take effect:
[donnie@localhost ~]$ sudo firewall-cmd --reload
success
[donnie@localhost ~]$
Now, if you run the sudo firewall-cmd --info-zone=dmz command again, you'll see that the new configuration is in effect.
To remove a service from a zone, just replace --add-service with --remove-service.