Restore inbound SSH when the service is listening on TCP/22 but
clients still get “port closed.” Prove
sshd
is listening, confirm
firewalld
is enforcing policy, inspect the active zone’s allowed services,
then allow
ssh
permanently and reload firewalld.
A teammate says, “The box is up, but nobody can SSH into it anymore.” You have console access. Your job is to restore inbound SSH quickly.
SSH should be running and listening on port
22
. Interface and link are good. The failure is caused by
firewall policy and a missing
ssh
allowance in the active zone.
sshd
is listening on TCP/22.
firewalld
is active.
--permanent
for persistence and
--reload
to apply changes to runtime.
sshd
is listening on TCP/22.
ss -lntp | grep ':22'
You want to see listeners on
0.0.0.0:22
and/or
[::]:22
owned by
sshd
. That proves the daemon is up and bound correctly.
firewalld
is enforcing policy.
sudo firewall-cmd --state
If it returns
running
, inbound policy is being enforced by firewalld.
sudo firewall-cmd --get-active-zonesThis tells you which zone is active and which interface is assigned to it. You should validate you are changing policy in the correct zone.
sudo firewall-cmd --list-services
In this outage,
ssh
is missing from the allowed services list, so inbound TCP/22
is blocked.
sudo firewall-cmd --permanent --add-service=ssh
--permanent
updates the saved configuration so the fix survives reloads
and reboots. You still need a reload for it to take effect
immediately.
sudo firewall-cmd --reloadThis applies the permanent configuration to the running firewall.
sudo firewall-cmd --list-services
You should now see
ssh
in the services list. At this point, remote SSH attempts
should succeed.
If there is no listener on
:22
, fix the service first:
sudo systemctl status sshd
and
sudo systemctl start sshd
.
If
ssh
is allowed but still blocked, confirm the interface is in the
expected zone with
sudo firewall-cmd --get-active-zones
and inspect the full zone config with
sudo firewall-cmd --list-all
.
Check SELinux policy, upstream firewalls, or cloud security groups, and confirm the client targets the correct IP and port.
If you only need a short-term restore, omit
--permanent
. For real systems, do both: immediate fix plus persistent
config.
If you need to revert the change after the lab, remove the SSH service allowance and reload firewalld.
sudo firewall-cmd --permanent --remove-service=ssh
sudo firewall-cmd --reload
sudo firewall-cmd --list-services
The
ssh
service is present when you want access, and absent when you
revert, and the zone policy reflects the intended state.
ss -lntp
: List listening TCP sockets with owning process.
-l
: Show listening sockets only.
-n
: Show numeric addresses and ports.
-t
: TCP only.
-p
: Show process using the socket (requires privileges).
firewall-cmd --state
: Show whether firewalld is running.
firewall-cmd --get-active-zones
: Show active zones and interface bindings.
firewall-cmd --list-services
: List allowed services in the active zone.
firewall-cmd --permanent --add-service=ssh
: Allow SSH in the permanent zone configuration.
--permanent
: Writes to saved config, not runtime.
--add-service=ssh
: Enables the predefined SSH service definition.
firewall-cmd --reload
: Reloads firewall rules and applies permanent config to
runtime.
firewall-cmd --permanent --remove-service=ssh
: Removes SSH from the permanent allowed services list.
firewall-cmd --list-all
: Displays full zone configuration (services, ports, sources,
interfaces, rich rules).