13

Is there an easy way to show a full list of all the ports that have been opened using firewalld?

I know the command firewall-cmd --list-all, but that just shows service names, not the ports that those services define as being open.

For example:

[root@myserver log]# firewall-cmd --list-all
  dmz (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens160
  sources: 
  services: ssh squid my-icap 
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

I know I can go into the definition files for each of these services to see what ports they are defining as open, but it seems like there should be a single-line way to do this, and I'm just missing it.

And I'm not looking for netstat: that will tell me if something is listening on a port, which is a different question from whether that port is accessible from another host.

Dave Mulligan
  • 375
  • 2
    Did you open the ports with firewall-cmd --add-port or firewall-cmd --add-service? – Nasir Riley Aug 21 '19 at 17:00
  • 1
    With --add-service, which is why they show up in the services: line. If I had added the ports individually with --add-port, then they would have shown up in the ports: line. But I like the concept of grouping ports by service and enabling and disabling them all together, I'm just frustrated that I can't find a simple way to see all the ports that are opened by the listed services. – Dave Mulligan Aug 21 '19 at 17:42
  • 2
    Then that's your answer. When you use --add-services, the --list-all switch only shows the services. That's the way that firewall-cmd is designed to work. If you want it to list the ports then you'll either have to open them with --add-port or edit the code of firewall-cmd so that it shows the ports as well as the services. – Nasir Riley Aug 21 '19 at 17:48
  • 2
    I understand that that's the way that the --list-all option works. It just seems bizarre if there's no way to display all the ports that are open, which - surely - is one of the most common questions about a firewall's status. Even --service <service_name> get-ports doesn't give the information about a single service. – Dave Mulligan Aug 21 '19 at 22:31
  • 1
    I completely agree with you @DaveMulligan and I'm looking for exactly same thing but can't find it and because here's no answer I guess no one knows... – davispuh Dec 14 '19 at 14:11
  • I as well would like to see all the open ports on a screen for my own piece of mind. From a Security Auditing perspective. – mister mcdoogle Aug 07 '21 at 15:17

2 Answers2

13

I've also been looking for this, currently I came up with this bash oneliner

for s in $(firewall-cmd --list-services); do firewall-cmd --permanent --service "$s" --get-ports; done;

and for regular ports just use

$ firewall-cmd --list-ports

or just

$ firewall-cmd --list-all
miken32
  • 466
davispuh
  • 371
0

This one-liner should work for both direct-interface services and rich language rules, and show the service name along with its port numbers, protocols, etc.

firewall-cmd --list-all | egrep "services|service.*accept" | sed -e 's/.*="\(.*\)".*/\1/g' | sed -e 's/\s\+services:\s\+//g' | tr ' ' '\n' | xargs -I '{}' firewall-cmd --info-service={}

If you just want something easy to remember, to ad-hoc lookup the port definitions for a service, then:

firewall-cmd --info-service=service_name
AdminBee
  • 22,803
jesshere
  • 1