sudo systemctl start firewalld
[pal@rocky ~]$ firewall-cmd --get-active-zones
public
interfaces: enp3s0
[pal@rocky ~]$ firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp3s0
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[pal@rocky ~]$ firewall-cmd --get-zones
block dmz drop external home internal nm-shared public trusted work
firewall-cmd --get-services
RH-Satellite-6 RH-Satellite-6-capsule afp amanda-client amanda-k5-client amqp amqps apcupsd audit ausweisapp2 bacula bacula-client bb bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc bittorrent-lsd ceph ceph-mon cfengine checkmk-agent cockpit collectd condor-collector cratedb ctdb dhcp dhcpv6 dhcpv6-client distcc dns dns-over-tls docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger foreman foreman-proxy freeipa-4 freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp galera ganglia-client ganglia-master git gpsd grafana gre high-availability http http3 https ident imap imaps ipfs ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kdeconnect kerberos kibana klogin kpasswd kprop kshell kube-api kube-apiserver kube-control-plane kube-control-plane-secure kube-controller-manager kube-controller-manager-secure kube-nodeport-services kube-scheduler kube-scheduler-secure kube-worker kubelet kubelet-readonly kubelet-worker ldap ldaps libvirt libvirt-tls lightning-network llmnr llmnr-tcp llmnr-udp managesieve matrix mdns memcache minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nbd netbios-ns netdata-dashboard nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy prometheus prometheus-node-exporter proxy-dhcp ps3netsrv ptp pulseaudio puppetmaster quassel radius rdp redis redis-sentinel rpc-bind rquotad rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptls snmptls-trap snmptrap spideroak-lansync spotify-sync squid ssdp ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tentacle tftp tile38 tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wireguard ws-discovery ws-discovery-client ws-discovery-tcp ws-discovery-udp wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server zerotier
sudo firewall-cmd --zone=public --add-service=ssh
[sudo] password for pal:
Warning: ALREADY_ENABLED: ‘ssh’ already in ‘public’
success
The “real” rules are in the kernel and can be seen with:
nft list ruleset
The zone ‘public’ does have service ‘ssh’, so it should allow ssh traffic in.
Of course, one could have modified definition of the service.
firewall-cmd --info-service=ssh
An another assumption is that ssh does listen its default port, the 22/tcp
What services do listen:
ss -tulpn | grep ssh
firewall-cmd --info-service=ssh
ssh
ports: 22/tcp
protocols:
source-ports:
modules:
destination:
includes:
helpers:
But I dont use port 22
nft list ruleset
[sudo] password for pal:
table inet firewalld {
chain mangle_PREROUTING {
type filter hook prerouting priority mangle + 10; policy accept;
jump mangle_PREROUTING_ZONES
}
chain mangle_PREROUTING_POLICIES_pre {
jump mangle_PRE_policy_allow-host-ipv6
}
chain mangle_PREROUTING_ZONES {
iifname "enp3s0" goto mangle_PRE_public
goto mangle_PRE_public
}
chain mangle_PREROUTING_POLICIES_post {
}
chain nat_PREROUTING {
type nat hook prerouting priority dstnat + 10; policy accept;
jump nat_PREROUTING_ZONES
}
chain nat_PREROUTING_POLICIES_pre {
jump nat_PRE_policy_allow-host-ipv6
}
chain nat_PREROUTING_ZONES {
iifname "enp3s0" goto nat_PRE_public
goto nat_PRE_public
}
chain nat_PREROUTING_POLICIES_post {
}
chain nat_POSTROUTING {
type nat hook postrouting priority srcnat + 10; policy accept;
jump nat_POSTROUTING_ZONES
}
chain nat_POSTROUTING_POLICIES_pre {
}
chain nat_POSTROUTING_ZONES {
oifname "enp3s0" goto nat_POST_public
goto nat_POST_public
}
chain nat_POSTROUTING_POLICIES_post {
}
chain nat_OUTPUT {
type nat hook output priority -90; policy accept;
jump nat_OUTPUT_POLICIES_pre
jump nat_OUTPUT_POLICIES_post
}
chain nat_OUTPUT_POLICIES_pre {
}
chain nat_OUTPUT_POLICIES_post {
}
chain filter_PREROUTING {
type filter hook prerouting priority filter + 10; policy accept;
icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
meta nfproto ipv6 fib saddr . mark . iif oif missing drop
}
chain filter_INPUT {
type filter hook input priority filter + 10; policy accept;
ct state { established, related } accept
ct status dnat accept
iifname "lo" accept
ct state invalid drop
jump filter_INPUT_ZONES
reject with icmpx admin-prohibited
}
chain filter_FORWARD {
type filter hook forward priority filter + 10; policy accept;
ct state { established, related } accept
ct status dnat accept
iifname "lo" accept
ct state invalid drop
ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
jump filter_FORWARD_ZONES
reject with icmpx admin-prohibited
}
chain filter_OUTPUT {
type filter hook output priority filter + 10; policy accept;
ct state { established, related } accept
oifname "lo" accept
ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
jump filter_OUTPUT_POLICIES_pre
jump filter_OUTPUT_POLICIES_post
}
chain filter_INPUT_POLICIES_pre {
jump filter_IN_policy_allow-host-ipv6
}
chain filter_INPUT_ZONES {
iifname "enp3s0" goto filter_IN_public
goto filter_IN_public
}
chain filter_INPUT_POLICIES_post {
}
chain filter_FORWARD_POLICIES_pre {
}
chain filter_FORWARD_ZONES {
iifname "enp3s0" goto filter_FWD_public
goto filter_FWD_public
}
chain filter_FORWARD_POLICIES_post {
}
chain filter_OUTPUT_POLICIES_pre {
}
chain filter_OUTPUT_POLICIES_post {
}
chain filter_IN_public {
jump filter_INPUT_POLICIES_pre
jump filter_IN_public_pre
jump filter_IN_public_log
jump filter_IN_public_deny
jump filter_IN_public_allow
jump filter_IN_public_post
jump filter_INPUT_POLICIES_post
meta l4proto { icmp, ipv6-icmp } accept
reject with icmpx admin-prohibited
}
chain filter_IN_public_pre {
}
chain filter_IN_public_log {
}
chain filter_IN_public_deny {
}
chain filter_IN_public_allow {
tcp dport 22 ct state { new, untracked } accept
ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept
tcp dport 9090 ct state { new, untracked } accept
}
chain filter_IN_public_post {
}
chain nat_POST_public {
jump nat_POSTROUTING_POLICIES_pre
jump nat_POST_public_pre
jump nat_POST_public_log
jump nat_POST_public_deny
jump nat_POST_public_allow
jump nat_POST_public_post
jump nat_POSTROUTING_POLICIES_post
}
chain nat_POST_public_pre {
}
chain nat_POST_public_log {
}
chain nat_POST_public_deny {
}
chain nat_POST_public_allow {
}
chain nat_POST_public_post {
}
chain filter_FWD_public {
jump filter_FORWARD_POLICIES_pre
jump filter_FWD_public_pre
jump filter_FWD_public_log
jump filter_FWD_public_deny
jump filter_FWD_public_allow
jump filter_FWD_public_post
jump filter_FORWARD_POLICIES_post
reject with icmpx admin-prohibited
}
chain filter_FWD_public_pre {
}
chain filter_FWD_public_log {
}
chain filter_FWD_public_deny {
}
chain filter_FWD_public_allow {
oifname "enp3s0" accept
}
chain filter_FWD_public_post {
}
chain nat_PRE_public {
jump nat_PREROUTING_POLICIES_pre
jump nat_PRE_public_pre
jump nat_PRE_public_log
jump nat_PRE_public_deny
jump nat_PRE_public_allow
jump nat_PRE_public_post
jump nat_PREROUTING_POLICIES_post
}
chain nat_PRE_public_pre {
}
chain nat_PRE_public_log {
}
chain nat_PRE_public_deny {
}
chain nat_PRE_public_allow {
}
chain nat_PRE_public_post {
}
chain mangle_PRE_public {
jump mangle_PREROUTING_POLICIES_pre
jump mangle_PRE_public_pre
jump mangle_PRE_public_log
jump mangle_PRE_public_deny
jump mangle_PRE_public_allow
jump mangle_PRE_public_post
jump mangle_PREROUTING_POLICIES_post
}
chain mangle_PRE_public_pre {
}
chain mangle_PRE_public_log {
}
chain mangle_PRE_public_deny {
}
chain mangle_PRE_public_allow {
}
chain mangle_PRE_public_post {
}
chain filter_IN_policy_allow-host-ipv6 {
jump filter_IN_policy_allow-host-ipv6_pre
jump filter_IN_policy_allow-host-ipv6_log
jump filter_IN_policy_allow-host-ipv6_deny
jump filter_IN_policy_allow-host-ipv6_allow
jump filter_IN_policy_allow-host-ipv6_post
}
chain filter_IN_policy_allow-host-ipv6_pre {
}
chain filter_IN_policy_allow-host-ipv6_log {
}
chain filter_IN_policy_allow-host-ipv6_deny {
}
chain filter_IN_policy_allow-host-ipv6_allow {
icmpv6 type nd-neighbor-advert accept
icmpv6 type nd-neighbor-solicit accept
icmpv6 type nd-router-advert accept
icmpv6 type nd-redirect accept
}
chain filter_IN_policy_allow-host-ipv6_post {
}
chain nat_PRE_policy_allow-host-ipv6 {
jump nat_PRE_policy_allow-host-ipv6_pre
jump nat_PRE_policy_allow-host-ipv6_log
jump nat_PRE_policy_allow-host-ipv6_deny
jump nat_PRE_policy_allow-host-ipv6_allow
jump nat_PRE_policy_allow-host-ipv6_post
}
chain nat_PRE_policy_allow-host-ipv6_pre {
}
chain nat_PRE_policy_allow-host-ipv6_log {
}
chain nat_PRE_policy_allow-host-ipv6_deny {
}
chain nat_PRE_policy_allow-host-ipv6_allow {
}
chain nat_PRE_policy_allow-host-ipv6_post {
}
chain mangle_PRE_policy_allow-host-ipv6 {
jump mangle_PRE_policy_allow-host-ipv6_pre
jump mangle_PRE_policy_allow-host-ipv6_log
jump mangle_PRE_policy_allow-host-ipv6_deny
jump mangle_PRE_policy_allow-host-ipv6_allow
jump mangle_PRE_policy_allow-host-ipv6_post
}
chain mangle_PRE_policy_allow-host-ipv6_pre {
}
chain mangle_PRE_policy_allow-host-ipv6_log {
}
chain mangle_PRE_policy_allow-host-ipv6_deny {
}
chain mangle_PRE_policy_allow-host-ipv6_allow {
}
chain mangle_PRE_policy_allow-host-ipv6_post {
and I use ipv4 and I use for ssh other port, non 22 .Internet works , but ssh dont works
ss -tulpn | grep ssh - ZERO
If you don’t use port 22 for SSH, then you need to add another port. The ssh service only recognises port 22. So if you changed this, you need to create your own custom service, or add the port to the rule.
firewall-cmd --add-port=10022/tcp --permanent
firewall-cmd --reload
assuming port 10022 is your new ssh port. Or create custom service:
[root@rocky8 ~]# firewall-cmd --new-service=ssh-10022 --permanent
success
[root@rocky8 ~]# firewall-cmd --service=ssh-10022 --add-port=10022/tcp --permanent
success
[root@rocky8 ~]# firewall-cmd --info-service ssh-10022 --permanent
ssh-10022
ports: 10022/tcp
protocols:
source-ports:
modules:
destination:
includes:
helpers:
[root@rocky8 ~]# firewall-cmd --zone=public --add-service=ssh-10022 --permanent
success
[root@rocky8 ~]# firewall-cmd --reload
success
And then after adding custom service:
public (active)
target: default
icmp-block-inversion: no
interfaces: enp1s0
sources:
services: cockpit dhcpv6-client http https ssh ssh-10022
Custom service is nice, makes it real clear. Adhoc, can be just done by adding a port to the zone, and then it looks like this:
public (active)
target: default
icmp-block-inversion: no
interfaces: enp1s0
sources:
services: cockpit dhcpv6-client http https ssh
ports: 10022/tcp
Thanks, now ssh works 
2 Likes
The firewall does not prevent processes from listening ports. It merely prevents traffic from reaching the ports.
Therefore, one would have expected to see “sshd” on some port.
What does prevent some processes to listen is SELinux. If it would have blocked sshd, then you could not have used ssh even when firewall was down.
If you have nothing on 22/tcp, then you don’t have to keep it unfiltered. You can remove a service from the zone:
# firewall-cmd --zone=public --remove-service=ssh --permanent
Now I’m setting up nat . But two network cards do not work for me at the same time. If I turn 1 on, 2 turns off and vice versa . And the settings of the enabled network card are automatically duplicated to the second network card 
Network config is a somewhat separate issue. Perhaps a new thread, since the firewall is resolved?
Initially you did show only one interface:
Where did the enp2s0 come from? Why two interfaces? Why NAT?
IMHO, the GUI hides too much details. Command-line text is also copyable.
nmcli d s
nmcli c s
nmcli
I use NAT while I need to connect several more computers from the local network to this computer.I connect local network computers via a switch to a network card enp2so . This computer is connected to the Internet via enp3s0.
nmcli d s
DEVICE TYPE STATE CONNECTION
enp3s0 ethernet connected Profile 1
lo loopback connected (externally) lo
enp2s0 ethernet disconnected –
nmcli c s
NAME UUID TYPE >
Profile 1 6d0a1505-a3b5-4b36-b423-52d239467ac1 etherne>
lo a7965dcd-c8dd-481e-836e-d4945d997f9e loopbac>
enp7s0 94eb66b9-c52c-372e-be99-d7a8c722381d etherne>
enp8s0 10e29dbb-eca1-44f8-bf30-fbef0a79b526 etherne>
enp9s0 031fa3b1-e12d-4d2f-9d1b-7d59d5280242 etherne>
lines 1-6/6 (END)…skipping…
NAME UUID TYPE DEVICE
Profile 1 6d0a1505-a3b5-4b36-b423-52d239467ac1 ethernet enp3s0
lo a7965dcd-c8dd-481e-836e-d4945d997f9e loopback lo
enp7s0 94eb66b9-c52c-372e-be99-d7a8c722381d ethernet –
enp8s0 10e29dbb-eca1-44f8-bf30-fbef0a79b526 ethernet –
enp9s0 031fa3b1-e12d-4d2f-9d1b-7d59d5280242 ethernet –
nmcli
enp3s0: connected to Profile 1
“Intel 82574L”
ethernet (e1000e), 00:E0:81:BD:60:AD, hw, mtu 1500
ip4 default
inet4 xxxxxxxx/28
route4 xxxxxxxx/28 metric 114
route4 default via xxxxxx metric 114
lo: connected (externally) to lo
“lo”
loopback (unknown), 00:00:00:00:00:00, sw, mtu 65536
inet4 127.0.0.1/8
inet6 ::1/128
route6 ::1/128 metric 256
enp2s0: disconnected
“Intel 82574L”
1 connection available
ethernet (e1000e), 00:E0:81:BD:60:AE, hw, mtu 1500
DNS configuration:
servers: 8.8.8.8
interface: enp3s0
Use “nmcli device show” to get complete information about known devices and
“nmcli connection show” to get an overview on active connection profiles.
I installed the system on another computer and there were network cards enp7s0 etc
First observation: there are two subnets. The first, “wan” is “xxxxxxxx/28” and the second, “lan” is “?/?”.
The machine xxxxxx is a member of xxxxxxxx/28, just like this machine (xxxxxxxx).
(Obfuscation makes it all so clear …)
The name of connection 6d0a1505-a3b5-4b36-b423-52d239467ac1 is inconvenient as it contains whitespace. I’d rename it to “wan”:
nmcli con mod 6d0a1505-a3b5-4b36-b423-52d239467ac1 connection.id wan
The connections for non-existent interfaces can be removed:
nmcli con del enp7s0
nmcli con del enp8s0
nmcli con del enp9s0
What is the “?/?”? It has to be distinct and non-overlapping with xxxxxxxx/28.
Do we have to assume that there is no DHCP server on “lan” and thus this machine needs manually set static address in “lan”?
Are the other members of “lan” supposed to access “wan” (and internet) through this machine, i.e. will this act as router, or will they only access this machine?
All ip addresses of LAN are statiques. After:
nmcli con del enp7s0
Connection ‘enp7s0’ (94eb66b9-c52c-372e-be99-d7a8c722381d) successfully deleted.
[root@rocky ~]# nmcli con del enp8s0
Connection ‘enp8s0’ (10e29dbb-eca1-44f8-bf30-fbef0a79b526) successfully deleted.
[root@rocky ~]# nmcli con del enp9s0
Connection ‘enp9s0’ (031fa3b1-e12d-4d2f-9d1b-7d59d5280242) successfully deleted.
Now:
nmcli c s
Profile 1 6d0a1505-a3b5-4b36-b423-52d239467ac1 ethernet enp3s0
lo a7965dcd-c8dd-481e-836e-d4945d997f9e loopback lo
xxxx is
nmcli
enp3s0: connected to Profile 1
“Intel 82574L”
ethernet (e1000e), 00:E0:81:BD:60:AD, hw, mtu 1500
ip4 default
inet4 100.100.100.235/28 (address of computer)
route4 100.100.100.224/28 metric 114 (address of network) )
route4 default via 100.100.100.225 metric 114 (gateway)
For example, I put a hard disk with freebsd14 (ipfw) on this computer and the nat works. Both network cards are visible
DHCP can be set to give static addresses.
Lets use example, where “lan” is 192.168.5.0/24 and enp2s0 should get 192.168.5.254 (and no IPv6 address).
The man nmcli-examples suggests something like:
nmcli con add con-name lan ifname enp2s0 type ethernet ipv6.method disabled ip4 192.168.5.254/24
after that the nmcli c s should show whether the connection gets up and ip ro
should show the three routes:
- default via 100.100.100.225
- to xxx/28 dev enp3s0
- to yyy/24 dev enp2s0
The question is: does addition of connection as I did show above disrupt your existing connection, or can they co-exist? They should be ok.
The NAT (sNAT, masquerade) is about hiding true origin of packets. It would be needed, if members of lan talk to wan via this router. sNAT would put router’s wan-address as “source” into the packets. The NAT rules are part of firewall system. If the zone of the wan interface is “external” (now you have “public” on it), then that should activate sNAT on the wan interface.
firewall-cmd --zone=external --add-service=ssh-10022 --permanent
success
nmcli con mod "Profile 1" connection.zone external
The activation of external zone might also activate routing, the ip_forward.
The problem here is that Network Manager does not see two network cards at the same time.I had something like this in old Debians.I remember in Debian 6 I had to disable Network Manager and configure network cards on the command line
That output does say that the NetworkManager does see both interface devices.
But enp2s0 is connected