I can't seem to save my firewall settings

computerhelp · February 23, 2024, 4:27am

On the default firewalld, I need to enable some ports to get access to an app I use (see thread here: How can I get an app to bypass firewalld?)

However I can’t get those settings to save. After every reboot, those settings are gone and it becomes extremely cumbersome to enter in those settings manually everytime.

Can someone guide me how to make my changes permanent?

ajgringo619 · February 23, 2024, 4:39am

Here’s a couple of examples on how I setup firewalld for use with my VMs:

set zone to “home”, add services, reload

sudo firewall-cmd --permanent --zone=home --add-service=dns
sudo firewall-cmd --permanent --zone=home --add-service=nfs
sudo firewall-cmd --permanent --zone=home --add-source=192.168.122.0/24
sudo firewall-cmd --complete-reload

confirm the new settings

sudo firewall-cmd --list-all
home (default, active)
  target: default
  ingress-priority: 0
  egress-priority: 0
  icmp-block-inversion: no
  interfaces: enp6s0
  sources: 192.168.122.0/24
  services: dhcpv6-client dns mdns nfs samba-client ssh
  ports: 
  protocols: 
  forward: yes
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

The most important part is the ---permanent switch. What app are you trying to enable?

computerhelp · February 23, 2024, 12:30pm

The app I’m trying to give access is LocalSend (its a really nice app for transfering files between phones, phones and ocmputers, heck even computers nad computers).

So I need to give ports 53317 permission for tcp and udp. How would I do that exactly?

sudo firewall-cmd --permanent --zone=home --add-port=53317
sudo firewall-cmd --permanent --zone=home --add-protocol=tcp
sudo firewall-cmd --permanent --zone=home --add-protocol=udp

Just a frustration, at the interface of firewalld, it is quite unintuitive and at least I can’t figure out how to make it work.

pebcak · February 23, 2024, 1:31pm

Try:

sudo firewall-cmd --permanent --zone=home --add-port=53317/tcp
sudo firewall-cmd --permanent --zone=home --add-port=53317/udp

ajgringo619 · February 23, 2024, 6:02pm

I hear ya, that’s why I went to using the terminal exclusively. Let me know if @pebcak’s solution works for you.

dalto · February 23, 2024, 6:05pm

Ideally you wouldn’t hard allow ports like that. You would create a service and then allow the service access.

This is very simple to do in the GUI.

There are only a couple of tricks to the GUI

The first is understanding zones and service
The second is understanding that there is both a running and a permanent config

If you get a grasp for both those concepts, it should become more understandable.

The most common mistake people make is trying to treat it like ufw where you just say “open these ports”.