Learn through the super-clean Baeldung Pro experience:
>> Membership and Baeldung Pro.
No ads, dark-mode and 6 months free of IntelliJ Idea Ultimate to start with.
Modern software architecture is often broken. Slow delivery leads to missed opportunities, innovation is stalled due to architectural complexities, and engineering resources are exceedingly expensive.
Orkes is the leading workflow orchestration platform built to enable teams to transform the way they develop, connect, and deploy applications, microservices, AI agents, and more.
With Orkes Conductor managed through Orkes Cloud, developers can focus on building mission critical applications without worrying about infrastructure maintenance to meet goals and, simply put, taking new products live faster and reducing total cost of ownership.
Try a 14-Day Free Trial of Orkes Conductor today.
1. Overview
Knowing which ports are open is an important step in securing our system. Additionally, identifying which ports are open can help us determine which services are using them. There are multiple ways to list open ports in a Linux system such as using the ss, netstat, lsof, and nmap commands.
In this tutorial, we'll focus on how to list open ports using firewall-cmd.
2. What Is an Open Port?
Ports are essential components of a computer network that identify specific processes or services. They act as an interface for sending and receiving data. These ports operate at the transport layer (Layer 4) of the OSI model and have a specific number assigned to them.
Ports from 0 to 1023 are known as well-known ports, primarily used by default applications and system processes.
Ports from 1024 to 49151 are registered with IANA as registered ports, reserved for specific services. The ports from 49152 to 65535 are known as dynamic or private ports, and any application can use these ports without restriction.
In networking, open ports refer to TCP or UDP ports that are actively listening for connections from other systems. If a service is using a port, no other service can use that same port.
3. Firewall Management Using firewall-cmd
firewall-cmd is a command-line utility for managing firewalld, a firewall service used by several Linux distributions. Distributions that support firewalld by default include Fedora, RHEL, CentOS, AlmaLinux, Rocky Linux, openSUSE Leap, and SUSE Linux Enterprise Server (SLES).
3.1. Install firewall-cmd
Some distributions such as Ubuntu, and Debian uses ufw firewall by default and don't have firewalld installed. However, we can manually install firewalld in Debian-based distributions using the apt command:
$ sudo apt install firewalldAfter installation, the first step is to disable the default firewall running on our system:
$ sudo ufw disableNext, we need to start and enable the firewalld on boot:
$ sudo systemctl start firewalld
$ sudo systemctl enable firewalldFinally, we can check its status to see if it's running:
$ sudo firewall-cmd --state
runningThus, the output indicates the firewalld is up and running.
Alternatively, we can use the systemctl status firewalld command to check the status of firewalld:
$ sudo systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2024-08-01 21:49:29 PDT; 4 weeks 0 days ago
Docs: man:firewalld(1)
Main PID: 34717 (firewalld)
Tasks: 3 (limit: 4892)
Memory: 33.1M
CGroup: /system.slice/firewalld.service
└─34717 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork --nopid
Similar to the above output, this output also confirms that the firewall service is active and running.
3.2. Open a Port Using firewall-cmd
In the context of firewalls, opening a port means unblocking it for network access. To open a port in the firewall, we can use the firewall-cmd command with the --add-port option. Let’s open the TCP port 21 in the public zone using the firewall-cmd command:
$ firewall-cmd --permanent --zone=public --add-port=21/tcp
successThe output shows that the firewall has successfully opened the TCP port 21.
3.3. Remove a Port
Similarly, if we need to remove a port from the list of open ports, we can use the --remove-port option:
$ firewall-cmd --permanent --zone=public --remove-port=443/tcpThis will remove the port 443 from the list of open ports.
After making any configuration changes like adding or removing a port or service in firewalld, it's necessary to reload the configuration:
$ sudo firewall-cmd—reloadThis command immediately applies all changes.
4. List Open Ports with firewall-cmd
To list all the currently open ports in our Linux system, we can use the firewall-cmd command with the --list-ports option:
$ sudo firewall-cmd --list-ports
21/tcp 22/tcp 53/tcp 80/tcpThis command will list all the currently open ports in the default zone.
We can also use the firewall-cmd command to check which ports are open in a specific zone, let' say in the internal zone:
$ firewall-cmd --zone=internal --list-ports
443/tcpFrom the output, we can see that TCP port 443 is open in the internal zone.
Moreover, to list open ports in all the zones, we can use the --list-all-zones option:
$ firewall-cmd --list-all-zonesFurthermore, we can check if a specific port is open using the --query-port option with the firewall-cmd command. For example, let's check if port 22 is open in the firewall:
$ firewall-cmd --query-port=22/tcp
yesIt returns yes if the port is open, and no if it's closed.
5. List Open Ports by Service with firewall-cmd
Services use one or more specific ports to operate. Using firewall-cmd, we can identify which ports are open in the system based on the services allowed in the firewall.
To check which services are allowed in the firewall, we can use the --list-services option:
$ firewall-cmd --list-services
cockpit dhcpv6-client radius sshFrom the above output, we notice that the firewall allows the cockpit, dhcpv6-client, radius, and ssh services.
Additionally, to see which ports are used by a particular service, we can use the firewall-cmd command with the --info-service option.
For example, let's check which ports the RADIUS server uses:
$ firewall-cmd --info-service=radius
radius
ports: 1812/tcp 1812/udp 1813/tcp 1813/udp
protocols:
source-ports:
modules:
destination:
includes:
helpers:
The above command shows that the RADIUS service is using the 1812/tcp, 1812/udp, 1813/tcp, and 1813/udp ports.
We can notice that the firewall-cmd --list-ports command in the previous section doesn't show this information in its output. Therefore, to get the complete information, we can use the --list-all option to display a detailed summary of the firewall configuration:
$ sudo firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens160
sources:
services: cockpit dhcpv6-client radius ssh
ports: 22/tcp 80/tcp 21/tcp 53/tcp
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:This command provides a detailed summary of the active zone in the firewall configuration.
Similarly, we can also check if the firewall allows a particular service by using the --query-service option with the firewall-cmd command.
For example, let's check if the firewall allows SSH service:
$ firewall-cmd --query-service=ssh
yesThe output shows that the firewall allows the SSH service.
6. Conclusion
In this article, we discussed how to list open ports using firewall-cmd in Linux. Moreover, we discussed how to identify which ports a specific service is using and how to check open ports in a particular zone.
Knowing which ports are open helps ensure that only necessary services are accessible, which in turn helps protect the system from potential threats and unauthorized access.