Firewalld And LISTEN
On CentOS7 I have following firewalld setting.
external (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dns ftp http https imaps pop3s SMTP ssh
ports: 110/tcp 21/tcp 20000/tcp 106/tcp 53/tcp 990/tcp 5432/tcp 8447/tcp
113/tcp 143/tcp 3306/tcp 5224/tcp 22/tcp 465/tcp 995/tcp 25/tcp 10000/tcp
8443/tcp 993/tcp 443/tcp 8880/tcp 587/tcp 20/tcp 53/udp 12768/tcp
protocols:
masquerade: yes
forward-ports:
sourceports:
icmp-blocks:
rich rules:
But by ss -nat, IPV4 443 is not listend. How can I fix?
# ss -nat | grep LISTEN | grep 443
LISTEN 0 128 :::443 :::*
Tadao
6 thoughts on - Firewalld And LISTEN
Just because the firewall is open doesn’t mean the process listening on port 443 has to be running. It looks like your HTTPD server (I assume apache httpd?) isn’t listening on ipv4. This is not a firewall problem, but a configuration problem for the web server.
—
Jonathan Billings
Dear Jonathan,
Thank you.
Apache is running. And I can access by https(IPV4 443). Please tell me which configuration I need to check.
Tadao
2017-07-28 10:52 GMT+09:00 Jonathan Billings:
CentOS mailing list CentOS@CentOS.org https://lists.CentOS.org/mailman/listinfo/CentOS
By default, Linux processes that listen on an IPv6 port will also listen on the IPv4 port (when no specific address is specified):
http://man7.org/linux/man-pages/man7/ipv6.7.html
You could change that behavior by modifying
/proc/sys/net/ipv6/bindv6only, but your system is working normally now.
Dear Gordon Messmer,
Thank you.
Please teach me one more. By ‘firewall-cmd –list’ its answer is following.
external (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dns ftp http https imaps pop3s SMTP ssh
ports: 110/tcp 21/tcp 20000/tcp 106/tcp 53/tcp 990/tcp 5432/tcp 8447/tcp
113/tcp 143/tcp 3306/tcp 5224/tcp 22/tcp 465/tcp 995/tcp 25/tcp 10000/tcp
8443/tcp 993/tcp 443/tcp 8880/tcp 587/tcp 20/tcp 53/udp 12768/tcp
protocols:
masquerade: yes
forward-ports:
sourceports:
icmp-blocks:
rich rules:
Now I can use http normally. And ‘ss -nat’ shows 80 ports used.
But in avobe firewalld lists, there’s http service, but isn’t 80/tcp.port. Must I add 80/tcp.port?
Tadao
2017-07-28 11:29 GMT+09:00 Gordon Messmer:
CentOS mailing list CentOS@CentOS.org https://lists.CentOS.org/mailman/listinfo/CentOS
Am 30.07.2017 um 07:06 schrieb 望月忠雄:
Hi,
you can define rule either by using services or ports. You have partly doubled that config by using both a service definition and a port definition. For instance service SSH and port 22/tcp. Same for SMTP and port 25.
You find the list of pre-defined services under
/usr/lib/firewalld/services/.
To give you an example. You can define
# firewall-cmd –permanent –zone=public –add-service=http
which enables port 80/tcp for the public zone. You can check how the service is defined by
# firewall-cmd –info-service=http
You could achieve the same port opening by issuing
firewall-cmd –zone=public –add-port=80/tcp
More or less a matter of taste how to define things. But you better avoid causing doubled rules.
See your “iptables -L -n -v –line” output and you’ll find multiple rules defined 2 times.
Alexander
Dear Alexander,
Thank you.
Tadao
2017-07-31 1:25 GMT+09:00 Alexander Dalloz:
CentOS mailing list CentOS@CentOS.org https://lists.CentOS.org/mailman/listinfo/CentOS