Controlling Access to Ports

You can permit or deny access to a port by specifying the port number and the associated protocol. The --list-port option lists the ports and associated protocols to which you have explicitly allowed access, for example:

# firewall-cmd --zone=work --list-ports

You can use the --add-port option to permit access:

# firewall-cmd --zone=work --add-port=5353/udp
# firewall-cmd --permanent --zone=work --add-port=5353/udp
# firewall-cmd --zone=work --list-ports
5353/udp 3689/tcp

Similarly, the --remove-port option removes access to a port. Remember to re-run the command with the --permanant option if you want to make the change persist.

To display all the firewall rules that are defined for a zone, use the --list-all option:

# firewall-cmd --zone=work --list-all
work (default,active)
  interfaces: em1
  services: http nfs ssh
  ports: 5353/udp 3689/tcp
  masquerade: no
  rich rules:

For more information, see the firewall-cmd(1) manual page.