Introduction
In Fedora/CentOS/RedHat, the firewall is on by default. This is a good secure-by-default practice. If you do not know that the firewall is on though, you may be wondering why you cannot connect to a web service that is listening on your machine and works fine locally, but external connections cannot be made.
This example will demonstrate how to open inbound ports and also check what ports, service, and zones are available on your machine.
Show current rules
Some rules may have been added as ports or as services.
firewall-cmd --list-all
firewall-cmd --list-ports
firewall-cmd --list-services
List zones
Before adding a rules you need to know which zone you are adding it to. You can list all the zones with the following command.
firewall-cmd --list-all-zones
In most common cases, you want to use the public zone or FedoraServer to allow or block traffic to the machine from other IPs.
Add a service/port
Note the difference between --add-service and --add-port.
Services can be defined in /etc/services.
firewall-cmd --add-port=8009/tcp --permanent
firewall-cmd --reload
Without the --permanent flag, it will not persist after reboot.
You may want to specify the zone. Usually omitting it and leaving it to the default is what you want.
firewall-cmd --add-port=8009/tcp --permanent --zone=public
Remove a service/port
To remove a port, follow a similar process but call --remove-port or --remove-service.
Be sure to reload also.
firewall-cmd --remove-port=8009/tcp --permanent
firewall-cmd --reload
Conclusion
After reading this, you should understand how to open inbound ports on firewalld in Linux using firewall-cmd.