Centos – How to get a list of the ports which belong to preconfigured firewall-cmd services

centosfirewallfirewalldsystemd

I want to open the following ports in my CentOS 7 firewall:

UDP 137 (NetBIOS Name Service)
UDP 138 (NetBIOS Datagram Service)
TCP 139 (NetBIOS Session Service)
TCP 445 (SMB)

I can guess that the services names include samba includes TCP 445 but I don't know if the other ports have a service name preconfigured.

I can list supported services with:

$ firewall-cmd --get-services

But this doesn't tell me what ports are configured with the services.

Is there a way to list what ports belong to these services so that I can grep for the one that I need?

Best Answer

You can find the xml files this information is stored in in /usr/lib/firewalld/services/ (for distro-managed services) and/or /etc/firewalld/services/ for your own user-defined services.

For example, samba.xml reads (on my centos7):

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Samba</short>
  <description>This option allows you to access and participate in Windows file and printer sharing networks. You need the samba package installed for this option to be useful.</description>
  <port protocol="udp" port="137"/>
  <port protocol="udp" port="138"/>
  <port protocol="tcp" port="139"/>
  <port protocol="tcp" port="445"/>
  <module name="nf_conntrack_netbios_ns"/>
</service>

so it's easy to spot what ports are enabled by this service.

FedoraWorkstation.xml

Unsolicited incoming network packets are rejected from port 1 to 1024, except for select network services. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.

  <service name="dhcpv6-client"/> <!-- udp 546 from fe80::/64 only -->
  <service name="ssh"/>           <!-- tcp 22 -->
  <service name="samba-client"/>  <!-- udp 137,138, plus nf_conntrack_netbios_ns -->
  <port protocol="udp" port="1025-65535"/>
  <port protocol="tcp" port="1025-65535"/>

FedoraServer.xml

For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

  <service name="ssh"/>           <!-- tcp 22 -->
  <service name="dhcpv6-client"/> <!-- udp 546 from fe80::/64 only -->
  <service name="cockpit"/>       <!-- tcp 9090 -->

("cockpit" is implemented as a web server running on TCP port 9090. It uses HTTPS and password authentication. There is an alternative option to use SSH and SSH key authentication as well).

Does it allow MDNS / avahi?

This is slightly confusing when you look at the package. The package includes a patch to enable MDNS by default, but it does not touch either of these files. Nevertheless, MDNS will be allowed on Fedora Workstation. The standard MDNS port is 5353, which is in the "high ports" that Fedora Workstation allows (1025-65535).

The MDNS patch pre-dates FedoraWorkstation.xml and FedoraServer.xml in Fedora 21 (2014-12-09). This was the first release of Fedora to be split into Workstation and Server editions. In Fedora 20, the default zone definition was public.xml and it allowed MDNS.

Fedora 21 and its Workstation firewall -- LWN.net, 2014-12-17

https://src.fedoraproject.org/rpms/firewalld/tree/f28

Date: Mon, 6 Aug 2012 10:01:09 +0200
Subject: [PATCH] Make MDNS work in all but the most restrictive zones

MDNS is a discovery protocol, and much like DNS or DHCP should
be available for the network to function as expected.

Avahi (the main MDNS) implementation has taken steps to make sure
no private information is published by default.

See: https://fedoraproject.org/wiki/Desktop/Whiteboards/AvahiDefault

Best Answer

Related Solutions

Fedora Firewall – Default Allowed Ports on Workstation and Server

FedoraWorkstation.xml

FedoraServer.xml

Does it allow MDNS / avahi?

Related Question