Examples of how to open firewall ports

Use these examples as a reference for opening firewall ports on different operating systems, if required. It is recommended to restrict port traffic to only the required network or adapters.

Red Hat Enterprise Linux and CentOS

  • Issue the following command to list currently open ports.
    firewall-cmd --list-ports
  • Issue the following command to list zones.
    firewall-cmd --get-zones
  • Issue the following command to list the zone containing eth0.
    firewall-cmd --get-zone-of-interface=eth0
  • Issue the following command to open port 1191 for TCP traffic.
    firewall-cmd --add-port 1191/tcp
  • Issue the following command to open port 1191 for TCP traffic after reboot. Use this command to make changes persistent.
    firewall-cmd --permanent --add-port 1191/tcp
  • Issue the following command to open a range a range of ports.
    firewall-cmd --permanent --add-port 60000-61000/tcp
  • Issue the following command to stop and start the firewall.
    systemctl stop firewalld 
    systemctl start firewalld

SLES

  1. Open the YaST tool by issuing the following command: yast
  2. Click Security and Users > Firewall.
  3. Select the Allowed Services tab and click Advanced....
  4. Enter the desired port range in the from-port-start:to-port-end format and specify the protocol (TCP or UDP). For example, enter 60000:60010 to open ports 60000 to 60010.
  5. Click OK to close the Advanced dialog box.
  6. Click Next and review the summary of your changes.
  7. Click Finish to apply your changes.

Ubuntu and Debian

  • Issue the following command to open port 1191 for TCP traffic.
    sudo ufw allow 1191/tcp
  • Issue the following command to open a range of ports.
    sudo ufw allow 60000:61000/tcp
  • Issue the following command to stop and start Uncomplicated Firewall (UFW).
    sudo ufw disable 
    sudo ufw enable

Microsoft Windows 2008 R2

  1. Open the Windows Firewall utility: Control Panel > Administrative Tools > Windows Firewall with Advanced Security
  2. Add new inbound and outbound rules as required.

Firewall configuration using iptables

The iptables utility is available on most Linux® distributions to set firewall rules and policies. These Linux distributions include Red Hat Enterprise Linux 6.8, Red Hat Enterprise Linux 7.x, CentOS 7.x, SLES 12, Ubuntu, and Debian. Before using these commands, check which firewall zones might be enabled by default. Depending upon the zone setup, the INPUT and OUTPUT terms might need to be renamed to match a zone for the desired rule. See the following Red Hat Enterprise Linux 7.x example for one such case.

  • Issue the following command to list the current firewall policies.
    sudo iptables -S 
    sudo iptables -L
  • Issue the following command to open port 1191 (GPFS) for inbound TCP traffic from internal subnet 172.31.1.0/24.
    sudo iptables -A INPUT -p tcp -s 172.31.1.0/24 --dport 1191 -j ACCEPT
  • Issue the following command to open port 1191 (GPFS) for outbound TCP traffic to internal subnet 172.31.1.0/24.
    sudo iptables -A OUTPUT -p tcp -d 172.31.1.0/24 --sport 1191 -j ACCEPT
  • Issue the following command to open port 445 (SMB) for outbound TCP traffic to external subnet 10.11.1.0/24 and only for adapter eth1.
    sudo iptables -A OUTPUT -o eth1 -p tcp -d 10.11.1.0/24 --sport 445 -j ACCEPT
  • Issue the following command to open port 445 (SMB) for inbound TCP traffic to a range of CES IPs (10.11.1.5 through 10.11.1.11) and only for adapter eth1.
    sudo iptables -A INPUT -i eth1 -p tcp -m iprange --dst-range 10.11.1.5-10.11.1.11 --dport 445 -j ACCEPT
  • Issue the following command to allow an internal network, eth1, to communicate with an external network, eth0.
    sudo iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
  • [Red Hat Enterprise Linux 7.x specific] Issue the following command to open Chef port 8889 for inbound traffic from subnet 10.18.0.0/24 on eth1 within the public zone.
    iptables -A IN_public_allow -i eth1 -p tcp -s 10.18.0.0/24 --dport 8889 -j ACCEPT
  • Issue the following command to save firewall rule changes to persist across a reboot.
    sudo iptables-save
  • Issue the following command to stop and start Uncomplicated Firewall (UFW).
    service iptables stop
    service iptables start 

For information on how CES IPs are aliased to network adapters, see CES IP aliasing to network adapters on protocol nodes.