Instead of messing around with the ports directly with RHEL7/CentOS7 firewall-cmd, I’ve decided to update the port number in the ssh.xml service file instead. Think it’s cleaner this way.
For example, here are the steps to change sshd port from the default 22 to 9876:
1. Make a copy of the default ssh service file:
cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/
2. Inspect current firewall settings
iptables -nL | grep -e 22 -e 9876
ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
3. Edit /etc/firewalld/services/ssh.xml to change port number
From: <port protocol=”tcp” port=”22″/>
To: <port protocol=”tcp” port=”9876″/>
4. Change /etc/ssh/sshd_config port to 9876
5. Restart sshd
systemctl restart sshd
6. Notice that sshd now listens on new port
netstat -punta
7. Reload firewalld, which will pick up the new port in ssh.xml
firewall-cmd –reload
8. Inspect new firewall settings, notice port changed
iptables -nL | grep -e 22 -e 9876
ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:9876 ctstate NEW
9. Test