Using CentOS 7, I am trying to use firewall-cmd --zone=public --add-port=443/tcp --permanent
to add 443 to my allowed ports. Unfortunately this throws error ALREADY_ENABLED: 443:tcp
. But when I use firewall-cmd --list-ports
it does not show in the list ("80/tcp 3000/tcp 26900/tcp 26900/udp").
I suppose the issue is caused with a conflict between firewall-cmd and iptables. But I have no idea how to debug this and if this might even be possible.
Calling firewall-cmd --list-all
results in the following list:
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports: 80/tcp 3000/tcp 26900/tcp 26900/udp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Best Answer
The command you say you ran affects the permanent configuration, not the running configuration. But you are listing the running configuration. That is why you don't see them.
You may list the permanent configuration to confirm that the rule has been added successfully.
You may add the rule to the running configuration instead:
Or you may reload the running configuration from the permanent configuration:
Also remember that firewalld has defined services for common ports, so it's not usually necessary to open them by number. For example, instead of opening ports 80/tcp and 443/tcp you could instead say:
Finally, when possible, it's better to change rules in the running configuration, verify that they are working, and then save the configuration, rather than the reverse. This allows you a way to revert if something goes wrong and you accidentally lock yourself out of the system.
You can save the running configuration to the permanent configuration by running:
(But some operations only work on the permanent configuration, such as creating new zones. For these you must use
--permanent
and then immediately--reload
the firewall.)