How to open a permanent port in firewalld

Opening a raw port in firewalld is for applications that do not have a suitable predefined service. The rule must go into the zone that handles the incoming traffic, and it must be saved permanently when the application should remain reachable after a reload or reboot.

firewalld keeps runtime rules separate from permanent configuration. A normal --add-port command changes the live firewall only, while the same command with --permanent writes the saved configuration that firewalld loads after a reload, restart, or boot.

The commands use 8443/tcp in the public zone. Replace the port, protocol, and zone with the values for the application path being exposed, and prefer a predefined or custom service when the application has several ports or needs a named policy object.

Related: Check active firewalld zones
Related: Allow a service in firewalld
Related: Save runtime firewalld rules permanently

Steps to open a permanent firewalld port:

  1. Confirm that firewalld is running before changing zone rules. 
    $ sudo firewall-cmd --state
running

    Related: Enable and start the firewalld service

  2. Identify the zone that handles the interface or source network for the application. 
    $ sudo firewall-cmd --get-active-zones
public (default)
  interfaces: eth0

    If the host has no active zone binding, check the fallback zone with sudo firewall-cmd --get-default-zone before choosing where to add the port.

    Related: Check active firewalld zones

  3. Add the port to the runtime rules for immediate access. 
    $ sudo firewall-cmd --zone=public --add-port=8443/tcp
success

    Opening a port in the wrong zone can expose the application on an unintended network. Confirm the active zone before applying the command on an internet-facing or multi-interface host.

  4. Add the same port to the permanent zone configuration. 
    $ sudo firewall-cmd --permanent --zone=public --add-port=8443/tcp
success

    Use /udp instead of /tcp for UDP listeners. firewalld also accepts supported port ranges such as 9000-9010/tcp.

  5. Verify that the runtime zone includes the new port. 
    $ sudo firewall-cmd --zone=public --list-ports
8443/tcp
  6. Verify that the permanent zone configuration includes the same port. 
    $ sudo firewall-cmd --permanent --zone=public --list-ports
8443/tcp
  7. Reload firewalld so the permanent configuration becomes the active runtime configuration. 
    $ sudo firewall-cmd --reload
success

    A reload replaces runtime-only changes with the permanent configuration. If the permanent command was missed, the port disappears from the live rules after this step.

  8. Confirm the port still appears in runtime rules after the reload. 
    $ sudo firewall-cmd --zone=public --list-ports
8443/tcp
  9. Query the permanent rule when a yes or no result is clearer than a port list. 
    $ sudo firewall-cmd --permanent --zone=public --query-port=8443/tcp
yes
  10. Test the application listener from a client path that reaches the host through the same zone. 
    $ nc -vz app01.example.net 8443
Connection to app01.example.net 8443 port [tcp/*] succeeded!

    The application must already be listening on the port. If the firewalld rule is present but the connection still fails, check the service listener, host routing, and any upstream firewall before widening the host rule.