11

Is there an easy way to show a full list of all the ports that have been opened using firewalld?

I know the command firewall-cmd --list-all, but that just shows service names, not the ports that those services define as being open.

For example:

[root@myserver log]# firewall-cmd --list-all
  dmz (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens160
  sources: 
  services: ssh squid my-icap 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

I know I can go into the definition files for each of these services to see what ports they are defining as open, but it seems like there should be a single-line way to do this, and I'm just missing it.

And I'm not looking for netstat: that will tell me if something is listening on a port, which is a different question from whether that port is accessible from another host.

Dave Mulligan
  • 345
  • 2
  • 4
  • 10
  • 2
    Did you open the ports with `firewall-cmd --add-port` or `firewall-cmd --add-service`? – Nasir Riley Aug 21 '19 at 17:00
  • 1
    With `--add-service`, which is why they show up in the `services:` line. If I had added the ports individually with `--add-port`, then they would have shown up in the `ports:` line. But I like the concept of grouping ports by service and enabling and disabling them all together, I'm just frustrated that I can't find a simple way to see all the ports that are opened by the listed services. – Dave Mulligan Aug 21 '19 at 17:42
  • 2
    Then that's your answer. When you use `--add-services`, the `--list-all` switch only shows the services. That's the way that `firewall-cmd` is designed to work. If you want it to list the ports then you'll either have to open them with `--add-port` or edit the code of `firewall-cmd` so that it shows the ports as well as the services. – Nasir Riley Aug 21 '19 at 17:48
  • 2
    I understand that that's the way that the `--list-all` option works. It just seems bizarre if there's no way to display all the ports that are open, which - surely - is one of the most common questions about a firewall's status. Even `--service get-ports` doesn't give the information about a single service. – Dave Mulligan Aug 21 '19 at 22:31
  • 1
    I completely agree with you @DaveMulligan and I'm looking for exactly same thing but can't find it and because here's no answer I guess no one knows... – davispuh Dec 14 '19 at 14:11
  • I as well would like to see all the open ports on a screen for my own piece of mind. From a Security Auditing perspective. – powerhousemethod Aug 07 '21 at 15:17

2 Answers2

11

I've also been looking for this, currently I came up with this bash oneliner

for s in $(firewall-cmd --list-services); do firewall-cmd --permanent --service "$s" --get-ports; done;

and for regular ports just use

$ firewall-cmd --list-ports

or just

$ firewall-cmd --list-all
miken32
  • 446
  • 6
  • 16
davispuh
  • 341
  • 3
  • 6
0

This one-liner should work for both direct-interface services and rich language rules, and show the service name along with its port numbers, protocols, etc.

firewall-cmd --list-all | egrep "services|service.*accept" | sed -e 's/.*="\(.*\)".*/\1/g' | sed -e 's/\s\+services:\s\+//g' | tr ' ' '\n' | xargs -I '{}' firewall-cmd --info-service={}

If you just want something easy to remember, to ad-hoc lookup the port definitions for a service, then:

firewall-cmd --info-service=service_name
AdminBee
  • 21,637
  • 21
  • 47
  • 71
jesshere
  • 1