@Pete-S said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:

One thing that would be nice to have, something that I've used on hardware firewalls, is a command that will simulate packets through the firewall rules to see if they will pass or not.
I've not seen something like that for iptables/netfilter.

Not sure about simulating, but you can always send packets at it and use iptables -v to see the counters.

@dustinb3403 said in CentOS 7 enabling Telnet:

And I got the port forwarding to work.

firewall-cmd --zone=public --add-forward-port=port=9090:proto=tcp:toport=23

I can now telnet to my server on port 9090 (which forward to 23).

Nice!

@dustinb3403 ok got it, weird one

Oops. :-)

@Reid-Cooper said in Open source Firewall:

pfSense was really good in the past. But I agree, the days of building your own firewall on an old PC that you have are over.

Right - the cost just isn't worth running your old PC. Power alone will cost more than the cost of an ER-X or ER-L.

This is good. I'm sure many newbies miss the firewall currently because of 1511.

@stacksofplates said in Open Firewall Ports on CentOS 7 and RHEL 7:

@coliver said in Open Firewall Ports on CentOS 7 and RHEL 7:

@stacksofplates said in Open Firewall Ports on CentOS 7 and RHEL 7:

@coliver said in Open Firewall Ports on CentOS 7 and RHEL 7:

@scottalanmiller said in Open Firewall Ports on CentOS 7 and RHEL 7:

@coliver said in Open Firewall Ports on CentOS 7 and RHEL 7:

Did anyone ever figure out if there was a way to setup files for firewalld? Or was the XML service files the way to go?

XML I think.

That's what I was afraid of. We're using IPTables on all of our OEL7 servers right now but I think moving to the default firewalld may be a good idea. I'll have to look into the XML config and see how much more difficult, if at all, it is over the IPTables file. It's a shame we can't just copy a single file around anymore but the XML files probably won't be too much more difficult.

Ya it's not bad at all. Here's the config from my Identity Management server. It's pretty similar to /etc/sysconfig/system-config-firewall on RHEL 6, just in zone specific XML files.

<zone> <short>Public</short> <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="http"/> <service name="https"/> <service name="ntp"/> <service name="dhcpv6-client"/> <service name="kerberos"/> <service name="ldaps"/> <service name="ssh"/> <service name="dns"/> <service name="ldap"/> </zone>

Those services are predefined right? You can also build your own services via the same process.

Ya and you can define specific ports. I prob could have grabbed a better example.

No, I think I've got it just need to investigate actually setting these up.

@travisdh1 Workaround? Use iptables? Fedora? CentOS6? Ubuntu? Hm.....

@scottalanmiller said:

@JaredBusch said:

@scottalanmiller said:

@JaredBusch said:

@scottalanmiller said:

@JaredBusch said:

While I have never made a how to with a port range, the basic firewalld syntax is used all over the place on this forum by me and every system that I have ever seen that accepts a port range does so with the range hyphenated from lower boundary to upper boundary.

I would have thought that this was a colon, though, not a hyphen.

I have never seen it commonly used with a colon to represent a range

Native IPTables. :)

I rarely work with native IPTables. That would explain a difference in point of view.

Yeah, and for me I pretty much have done raw edits on /etc/sysconfig/iptables and never used external tools. Now with FirewallD I'm relearning the syntax for everything on Linux firewalls.

Well, at least I'm not the only one then. Learning how to use firewall-cmd still feels a bit odd.