20

Is there an easy way to show a full list of all the ports that have been opened using firewalld?

I know the command firewall-cmd --list-all, but that just shows service names, not the ports that those services define as being open.

For example:

[root@myserver log]# firewall-cmd --list-all dmz (active) target: default icmp-block-inversion: no interfaces: ens160 sources: services: ssh squid my-icap ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:

I know I can go into the definition files for each of these services to see what ports they are defining as open, but it seems like there should be a single-line way to do this, and I'm just missing it.

And I'm not looking for netstat: that will tell me if something is listening on a port, which is a different question from whether that port is accessible from another host.

Improve this question
6
  • 2
    Did you open the ports with firewall-cmd --add-port or firewall-cmd --add-service? Commented Aug 21, 2019 at 17:00
  • 3
    With --add-service, which is why they show up in the services: line. If I had added the ports individually with --add-port, then they would have shown up in the ports: line. But I like the concept of grouping ports by service and enabling and disabling them all together, I'm just frustrated that I can't find a simple way to see all the ports that are opened by the listed services. Commented Aug 21, 2019 at 17:42
  • 2
    Then that's your answer. When you use --add-services, the --list-all switch only shows the services. That's the way that firewall-cmd is designed to work. If you want it to list the ports then you'll either have to open them with --add-port or edit the code of firewall-cmd so that it shows the ports as well as the services. Commented Aug 21, 2019 at 17:48
  • 4
    I understand that that's the way that the --list-all option works. It just seems bizarre if there's no way to display all the ports that are open, which - surely - is one of the most common questions about a firewall's status. Even --service <service_name> get-ports doesn't give the information about a single service. Commented Aug 21, 2019 at 22:31
  • 2
    I completely agree with you @DaveMulligan and I'm looking for exactly same thing but can't find it and because here's no answer I guess no one knows... Commented Dec 14, 2019 at 14:11

3 Answers 3

Reset to default
21

I've also been looking for this, currently I came up with this bash oneliner

for s in $(firewall-cmd --list-services); do firewall-cmd --permanent --service "$s" --get-ports; done;

and for regular ports just use

$ firewall-cmd --list-ports

or just

$ firewall-cmd --list-all
Improve this answer
1
  • Thanks for this excellent idea. I added 'printf "$SERVICE:\n\t"' before the firewall-cmd so that the output would categorize the ports by which service defined them. Commented Jun 18, 2024 at 19:28
1

This one-liner should work for both direct-interface services and rich language rules, and show the service name along with its port numbers, protocols, etc.

firewall-cmd --list-all | egrep "services|service.*accept" | sed -e 's/.*="\(.*\)".*/\1/g' | sed -e 's/\s\+services:\s\+//g' | tr ' ' '\n' | xargs -I '{}' firewall-cmd --info-service={}

If you just want something easy to remember, to ad-hoc lookup the port definitions for a service, then:

 firewall-cmd --info-service=service_name
Improve this answer
0

I have written the following script that gives acceptable output:

# parser() { while IFS= read line; do if [[ ! $line = *services:* ]]; then echo "$line"; else read -r -a a <<<"$line"; ( echo " ${a[0]}"; unset a[0]; for i in "${a[@]}"; do port=$(firewall-cmd --info-service $i | sed -n 's/.*ports: *//p'); echo "$i($port)"; done; ) | paste -sd' '; fi; done; } # firewall-cmd --list-all | parser public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: dhcpv6-client(546/udp) http(80/tcp) https(443/tcp) ssh(22/tcp) zabbix-agent(10050/tcp) zabbix-server(10051/tcp) ports: protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.