3

Is there a way to assign two ports to the same service in firewalld? For example, I would like for the SMTP service to listen on both port 25 and port 465. My first instinct is to change /usr/lib/firewalld/services/smtp.xml to read as follows :

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Mail (SMTP)</short>
  <description>This option allows incoming SMTP mail delivery. If you need to allow remote hosts to connect directly to your machine to deliver mail, enable this option. You $
  <port protocol="tcp" port="465"/>
  <!-- is adding a second port here legal and the best approach? -->
  <port protocol="tcp" port="25"/> 
</service>
CodeMed
  • 5,079
  • 45
  • 100
  • 147

1 Answers1

4

You could either create another service:

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Mail (SMTP on port 465)</short>
  <description>This option allows incoming SMTP mail delivery on the alternative port 465. If you need to allow remote hosts to connect directly to your machine to deliver mail, enable this option. You do not need to enable this if you collect your mail from your ISP's server by POP3 or IMAP, or if you use a tool such as fetchmail. Note that an improperly configured SMTP server can allow remote machines to use your server to send spam.</description>
  <port protocol="tcp" port="465"/>
</service>

and save it as (for example) /usr/lib/firewalld/services/alt-smtp.xml, after which you can add it to the same zone as the original smtp service.

Or, you could do as you suggested in your question. From man firewalld.service:

port
   Is an optional empty-element tag and can be used several times to have
   more than one port entry.

The former will give you more control - you can enable one or the other or both. The latter is less typing.

garethTheRed
  • 33,289
  • 4
  • 92
  • 101
  • 1
    This works. I typed `nc my.SERVER.ip.addr 465 < /dev/null` in my devbox terminal, and it printed out `220 mydomain.com ESMTP Postfix` in return. And yet the server is still able to receive another test email that I sent from a different account. I still cannot send outbound email, but this has isolated the problem substantially further to the postfix config. Thank you and +1. – CodeMed Mar 03 '15 at 20:38
  • Are you willing to help me frame a question I am going to post today? I have two populations connecting into the same private web server which can only be accessed via OpenVPN. Each population will use a separate app, with NO cross-use. Can I set things up so that each population receives a different app when typing in `https / 10.8.0.1`? Perhaps even an alias so that population A types `https : / appNameA` while population B types `https : / appNameB`. Or should I create two separate OpenVPN instances, each running in a different port? This pre-question would get down-voted as too general. – CodeMed Mar 10 '15 at 19:52
  • Hello :-) Initially, I'd investigate [this](https://openvpn.net/index.php/open-source/documentation/howto.html#policy) again. Expand on it so that you have different subnets for each population. Configure `firewalld`to forward the different subnets to different ports (eg 80 for one, 81 for the other) and run each app on different ports (80 and 81). – garethTheRed Mar 10 '15 at 20:18
  • I have a related question which seems right up your alley. Are you willing to take a look at it? Here is the link: http://unix.stackexchange.com/questions/233837/configuring-httpd-for-multiple-domains-on-same-server – CodeMed Oct 04 '15 at 12:33