How to Open or close ports in AlmaLinux 8 or Rocky Firewall

Many times after installing some application or accessing an inbuilt service outside the system using some other devices, we need to open a network port. It is a communication endpoint defined by a software layer to identify & access some particular process or a type of network service. For example, SSH (Secure Shell Protocol) service, the default port for it is 22, which we can be used to access any particular computer to control remotely. In the same way, CPanel, NextCloud, Apache, and other various tools and software come with their own port number. However, if you have a firewall installed, then most of the ports would be blocked by default, and to communicate with them, first, we have to open the same.

Let’s say you want to open a port 80 or 443 in AlmaLinux 8, then how to do that? To help you with this here is the tutorial.


  • How to install firewalld in Almalinux 8 or Rocky Linux including CentOS & RHEL 8
  • Open and close ports such as 80, 443, 3603, 22, etc on Almalinux with Firewalld.
  • Reload firewall configuration.
  • How to list open ports or services

Command to open ports in AlmaLinux 8 or Rocky

Check Firewalld is running or not

The one thing we have to ensure that firewalld is on our AlmaLinux and running properly before opening and closing any port on the system.

Check Status:

sudo systemctl status firewalld

If it not running then use the below commands:

sudo systemctl start firewalld
sudo systemctl enable firewalld

Well, those who don’t have firewalld installed and want it to, they can run:

sudo dnf update
sudo dnf install firewalld


List all opened ports & services

Before opening any particular port let’s confirm that it is not already active in firewalld and has not been allowed to access through public connections, for that run-

sudo firewall-cmd --list-all

So, in the below screenshot we can clearly see the port 443 or 3602 is not allowed to communicate externally.

List all openeed ports services in AlamaLinux

FirewallD also comes with some pre-configured services, for them and their ports the firewall allows public communication by default. And SSH, Plex, Cockpit, etc are a few of them. You can check the list of all such services by using the command-

firewall-cmd --get-services

Output: These are the services that are available firewalld as pre-configured and can be opened just using their name with the command syntax given in later steps of this tutorial.

RH-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd audit bacula
bacula-client bb bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc
bittorrent-lsd ceph ceph-mon cfengine cockpit condor-collector ctdb dhcp 
dhcpv6 dhcpv6-client distcc dns dns-over-tls docker-registry docker-swarm dropbox-lansync
elasticsearch etcd-client etcd-server finger freeipa-4 freeipa-ldap freeipa-ldaps
freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git grafana
gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target
isns jenkins kadmin kdeconnect kerberos kibana klogin kpasswd kprop kshell kube-apiserver
ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns memcache 
minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nfs nfs3 nmea-0183
nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy
pmwebapi pmwebapis pop3 pop3s postgresql privoxy prometheus proxy-dhcp ptp pulseaudio 
puppetmaster quassel radius rdp redis redis-sentinel rpc-bind rsh rsyncd rtsp salt-master
samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap
spideroak-lansync spotify-sync squid ssdp ssh steam-streaming svdrp svn syncthing 
syncthing-gui synergy syslog syslog-tls telnet tentacle tftp tftp-client tile38 
tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https
wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server


List of Zones

Although to access any service we have just allow the service in the public zone, however just for information you can check other available zones as well, in case you want to use any of them.

firewall-cmd --get-zones


block dmz drop external home internal nm-shared public trusted work


Use firewalld command to open port or service

Now, the default zone to access the service from the outside network is public, and with the help of the below command syntax, you can open any port or service on your AlmaLinux or Rocky server.

For opening any service which is predefined in firewalld such as HTTP or OpenVPN, you need to replace the service-name in the below command syntax-

sudo firewall-cmd --zone=public --permanent --add-service=service-name

Let’s say you want to open http or openvpn, then the same above syntax can be used as

sudo firewall-cmd --zone=public --permanent --add-service=openvpn

In the same way, those services’ ports are not pre-defined then users can open them manually using this command. Replace type-port-number in the below syntax with the port you want to open. You can also change TCP to UDP as per the requirements.

sudo firewall-cmd --zone=public --permanent --add-port type-port-number/tcp

Example– Lets’ say you want to open 3602

sudo firewall-cmd --zone=public --permanent --add-port 3602/tcp


Reload Firewall

Although it is not necessary to reload the firewall, however, to ensure it has successfully flushed the previous settings and recognize the newly added service or port for the public zone, let reload its service.

sudo firewall-cmd --reload

You can check whether the port or service successfully active or not by listing them.

firewall-cmd --list-all


Steps to Block or close ports/services in AlmaLinux or Rocky Linux 8

Step 1: To block any already opened service or port, we can use the same command that we have used above to open them. However, if you are unsure that what are the active ones you can use again the command to list them all-

sudo firewall-cmd --list-all

Step 2: Now let’s say you want to close port number 443  or block the service ssh in the firewall. The syntax will be the same we have used to open them, however instead of using option add we use the remove this time.

Syntax to remove some service-

firewall-cmd --zone=public --permanent --remove-service service-name

For example– If we want to blocks service ssh

firewall-cmd --zone=public --permanent --remove-service ssh

Syntax to block some port number:

firewall-cmd --zone=public --permanent --remove-port type-number

Example– Let’s block port 443

sudo firewall-cmd --zone=public --permanent --remove-port 443

Reload firewall:

sudo firewall-cmd --reload


Closing thoughts:

In this way, we to cannot only check the open ports and services but can also allow and block them to communicate from the outside our Almalinux Linux including Rocky, CetnOS, or RHEL 8.


Other Articles:




Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.