Firewalld And LISTEN

Home » CentOS » Firewalld And LISTEN
CentOS 6 Comments

On CentOS7 I have following firewalld setting.

external (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dns ftp http https imaps pop3s SMTP ssh
ports: 110/tcp 21/tcp 20000/tcp 106/tcp 53/tcp 990/tcp 5432/tcp 8447/tcp
113/tcp 143/tcp 3306/tcp 5224/tcp 22/tcp 465/tcp 995/tcp 25/tcp 10000/tcp
8443/tcp 993/tcp 443/tcp 8880/tcp 587/tcp 20/tcp 53/udp 12768/tcp
protocols:
masquerade: yes
forward-ports:
sourceports:
icmp-blocks:
rich rules:

But by ss -nat, IPV4 443 is not listend. How can I fix?

# ss -nat | grep LISTEN | grep 443
LISTEN 0 128 :::443 :::*

Tadao

6 thoughts on - Firewalld And LISTEN

  • Just because the firewall is open doesn’t mean the process listening on port 443 has to be running. It looks like your HTTPD server (I assume apache httpd?) isn’t listening on ipv4. This is not a firewall problem, but a configuration problem for the web server.


    Jonathan Billings

  • Dear Gordon Messmer,

    Thank you.

    Please teach me one more. By ‘firewall-cmd –list’ its answer is following.

    external (active)
    target: default
    icmp-block-inversion: no
    interfaces: eth0
    sources:
    services: dns ftp http https imaps pop3s SMTP ssh
    ports: 110/tcp 21/tcp 20000/tcp 106/tcp 53/tcp 990/tcp 5432/tcp 8447/tcp
    113/tcp 143/tcp 3306/tcp 5224/tcp 22/tcp 465/tcp 995/tcp 25/tcp 10000/tcp
    8443/tcp 993/tcp 443/tcp 8880/tcp 587/tcp 20/tcp 53/udp 12768/tcp
    protocols:
    masquerade: yes
    forward-ports:
    sourceports:
    icmp-blocks:
    rich rules:

    Now I can use http normally. And ‘ss -nat’ shows 80 ports used.

    But in avobe firewalld lists, there’s http service, but isn’t 80/tcp.port. Must I add 80/tcp.port?

    Tadao

    2017-07-28 11:29 GMT+09:00 Gordon Messmer :

    CentOS mailing list CentOS@CentOS.org https://lists.CentOS.org/mailman/listinfo/CentOS

  • Am 30.07.2017 um 07:06 schrieb 望月忠雄:

    Hi,

    you can define rule either by using services or ports. You have partly doubled that config by using both a service definition and a port definition. For instance service SSH and port 22/tcp. Same for SMTP and port 25.

    You find the list of pre-defined services under
    /usr/lib/firewalld/services/.

    To give you an example. You can define

    # firewall-cmd –permanent –zone=public –add-service=http

    which enables port 80/tcp for the public zone. You can check how the service is defined by

    # firewall-cmd –info-service=http

    You could achieve the same port opening by issuing

    firewall-cmd –zone=public –add-port=80/tcp

    More or less a matter of taste how to define things. But you better avoid causing doubled rules.

    See your “iptables -L -n -v –line” output and you’ll find multiple rules defined 2 times.

    Alexander

LEAVE A COMMENT