General
FirewallD is the zone based netfilter configuration tool shipped with CentOS / RHEL 7. Various standard service definitions are distributed with FirewallD, in the lib/firewalld/services directory. In most cases running a daemon service on a custom port is simply a matter of copying the standard service xml file to /etc/firewalld/services, editing in Nano [whatever] and adding to the active zone [default is public]
firewall-cmd --permanent --new-service-from-file=/lib/firewalld/services/https.xml --name=webmin
nano /etc/firewalld/services/webmin.xml
Ftpd PASV and nf_conntrack_ftp
For the ftpd service to function in PASV mode, additional ports need to be opened dynamically when initiating the data channel. This is achieved by the nf_conntrack_ftp kernel module being trigger. For the purpose of securing ftpd on a custom port, copying the ftp.xml service file will include the nf_conntrack_ftp module however, further configuration is required before the module will trigger on connection to the custom control channel port.
The configuration change can be made to an actively running system but will be lost during shutdown
modprobe nf_conntrack_ftp ports=<port>
Multiple ports may be specified as a comma separated list without white space, for example
modprobe nf_conntrack_ftp ports=21,2221
To make the configuration permanent requires a configuration file to be created, for example
/etc/modprobe.d/conntrack_ftp.conf
options nf_conntrack_ftp ports=21,2221
« Go back
Powered by Help Desk Software HESK, in partnership with SysAid Technologies
Loading knowledgebase suggestions...