[CentOS] firewalld and LISTEN
On CentOS7 I have following firewalld setting. external (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: dns ftp http https imaps pop3s smtp ssh ports: 110/tcp 21/tcp 2/tcp 106/tcp 53/tcp 990/tcp 5432/tcp 8447/tcp 113/tcp 143/tcp 3306/tcp 5224/tcp 22/tcp 465/tcp 995/tcp 25/tcp 1/tcp 8443/tcp 993/tcp 443/tcp 8880/tcp 587/tcp 20/tcp 53/udp 12768/tcp protocols: masquerade: yes forward-ports: sourceports: icmp-blocks: rich rules: But by ss -nat, IPV4 443 is not listend. How can I fix? # ss -nat | grep LISTEN | grep 443 LISTEN 0 128 :::443 :::* Tadao ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld and LISTEN
On Jul 27, 2017, at 9:36 PM, 望月忠雄 wrote: > > On CentOS7 I have following firewalld setting. > > external (active) > target: default > icmp-block-inversion: no > interfaces: eth0 > sources: > services: dns ftp http https imaps pop3s smtp ssh > ports: 110/tcp 21/tcp 2/tcp 106/tcp 53/tcp 990/tcp 5432/tcp 8447/tcp > 113/tcp 143/tcp 3306/tcp 5224/tcp 22/tcp 465/tcp 995/tcp 25/tcp 1/tcp > 8443/tcp 993/tcp 443/tcp 8880/tcp 587/tcp 20/tcp 53/udp 12768/tcp > protocols: > masquerade: yes > forward-ports: > sourceports: > icmp-blocks: > rich rules: > > But by ss -nat, IPV4 443 is not listend. How can I fix? > > # ss -nat | grep LISTEN | grep 443 > LISTEN 0 128 :::443 :::* Just because the firewall is open doesn’t mean the process listening on port 443 has to be running. It looks like your HTTPD server (I assume apache httpd?) isn’t listening on ipv4. This is not a firewall problem, but a configuration problem for the web server. -- Jonathan Billings ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld and LISTEN
Dear Jonathan, Thank you. Apache is running. And I can access by https(IPV4 443). Please tell me which configuration I need to check. Tadao 2017-07-28 10:52 GMT+09:00 Jonathan Billings : > On Jul 27, 2017, at 9:36 PM, 望月忠雄 wrote: > > > > On CentOS7 I have following firewalld setting. > > > > external (active) > > target: default > > icmp-block-inversion: no > > interfaces: eth0 > > sources: > > services: dns ftp http https imaps pop3s smtp ssh > > ports: 110/tcp 21/tcp 2/tcp 106/tcp 53/tcp 990/tcp 5432/tcp 8447/tcp > > 113/tcp 143/tcp 3306/tcp 5224/tcp 22/tcp 465/tcp 995/tcp 25/tcp 1/tcp > > 8443/tcp 993/tcp 443/tcp 8880/tcp 587/tcp 20/tcp 53/udp 12768/tcp > > protocols: > > masquerade: yes > > forward-ports: > > sourceports: > > icmp-blocks: > > rich rules: > > > > But by ss -nat, IPV4 443 is not listend. How can I fix? > > > > # ss -nat | grep LISTEN | grep 443 > > LISTEN 0 128 :::443 :::* > > Just because the firewall is open doesn’t mean the process listening on > port 443 has to be running. It looks like your HTTPD server (I assume > apache httpd?) isn’t listening on ipv4. This is not a firewall problem, > but a configuration problem for the web server. > > -- > Jonathan Billings > > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld and LISTEN
On 07/27/2017 06:36 PM, 望月忠雄 wrote: But by ss -nat, IPV4 443 is not listend. How can I fix? # ss -nat | grep LISTEN | grep 443 LISTEN 0 128 :::443 :::* By default, Linux processes that listen on an IPv6 port will also listen on the IPv4 port (when no specific address is specified): http://man7.org/linux/man-pages/man7/ipv6.7.html You could change that behavior by modifying /proc/sys/net/ipv6/bindv6only, but your system is working normally now. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld and LISTEN
Dear Gordon Messmer, Thank you. Please teach me one more. By 'firewall-cmd --list' its answer is following. external (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: dns ftp http https imaps pop3s smtp ssh ports: 110/tcp 21/tcp 2/tcp 106/tcp 53/tcp 990/tcp 5432/tcp 8447/tcp 113/tcp 143/tcp 3306/tcp 5224/tcp 22/tcp 465/tcp 995/tcp 25/tcp 1/tcp 8443/tcp 993/tcp 443/tcp 8880/tcp 587/tcp 20/tcp 53/udp 12768/tcp protocols: masquerade: yes forward-ports: sourceports: icmp-blocks: rich rules: Now I can use http normally. And 'ss -nat' shows 80 ports used. But in avobe firewalld lists, there's http service, but isn't 80/tcp.port. Must I add 80/tcp.port? Tadao 2017-07-28 11:29 GMT+09:00 Gordon Messmer : > On 07/27/2017 06:36 PM, 望月忠雄 wrote: > >> But by ss -nat, IPV4 443 is not listend. How can I fix? >> >> # ss -nat | grep LISTEN | grep 443 >> LISTEN 0 128 :::443 :::* >> > > > By default, Linux processes that listen on an IPv6 port will also listen > on the IPv4 port (when no specific address is specified): > > http://man7.org/linux/man-pages/man7/ipv6.7.html > > You could change that behavior by modifying /proc/sys/net/ipv6/bindv6only, > but your system is working normally now. > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld and LISTEN
Am 30.07.2017 um 07:06 schrieb 望月忠雄: Please teach me one more. By 'firewall-cmd --list' its answer is following. external (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: dns ftp http https imaps pop3s smtp ssh ports: 110/tcp 21/tcp 2/tcp 106/tcp 53/tcp 990/tcp 5432/tcp 8447/tcp 113/tcp 143/tcp 3306/tcp 5224/tcp 22/tcp 465/tcp 995/tcp 25/tcp 1/tcp 8443/tcp 993/tcp 443/tcp 8880/tcp 587/tcp 20/tcp 53/udp 12768/tcp protocols: masquerade: yes forward-ports: sourceports: icmp-blocks: rich rules: Now I can use http normally. And 'ss -nat' shows 80 ports used. But in avobe firewalld lists, there's http service, but isn't 80/tcp.port. Must I add 80/tcp.port? Tadao Hi, you can define rule either by using services or ports. You have partly doubled that config by using both a service definition and a port definition. For instance service ssh and port 22/tcp. Same for smtp and port 25. You find the list of pre-defined services under /usr/lib/firewalld/services/. To give you an example. You can define # firewall-cmd --permanent --zone=public --add-service=http which enables port 80/tcp for the public zone. You can check how the service is defined by # firewall-cmd --info-service=http You could achieve the same port opening by issuing firewall-cmd --zone=public --add-port=80/tcp More or less a matter of taste how to define things. But you better avoid causing doubled rules. See your "iptables -L -n -v --line" output and you'll find multiple rules defined 2 times. Alexander ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] firewalld and LISTEN
Dear Alexander, Thank you. Tadao 2017-07-31 1:25 GMT+09:00 Alexander Dalloz : > Am 30.07.2017 um 07:06 schrieb 望月忠雄: > >> Please teach me one more. >> By 'firewall-cmd --list' its answer is following. >> >> external (active) >>target: default >>icmp-block-inversion: no >>interfaces: eth0 >>sources: >>services: dns ftp http https imaps pop3s smtp ssh >>ports: 110/tcp 21/tcp 2/tcp 106/tcp 53/tcp 990/tcp 5432/tcp >> 8447/tcp >> 113/tcp 143/tcp 3306/tcp 5224/tcp 22/tcp 465/tcp 995/tcp 25/tcp 1/tcp >> 8443/tcp 993/tcp 443/tcp 8880/tcp 587/tcp 20/tcp 53/udp 12768/tcp >>protocols: >>masquerade: yes >>forward-ports: >>sourceports: >>icmp-blocks: >>rich rules: >> >> Now I can use http normally. >> And 'ss -nat' shows 80 ports used. >> >> But in avobe firewalld lists, there's http service, but isn't >> 80/tcp.port. >> Must I add 80/tcp.port? >> >> Tadao >> > > Hi, > > you can define rule either by using services or ports. You have partly > doubled that config by using both a service definition and a port > definition. For instance service ssh and port 22/tcp. Same for smtp and > port 25. > > You find the list of pre-defined services under > /usr/lib/firewalld/services/. > > To give you an example. You can define > > # firewall-cmd --permanent --zone=public --add-service=http > > which enables port 80/tcp for the public zone. You can check how the > service is defined by > > # firewall-cmd --info-service=http > > You could achieve the same port opening by issuing > > firewall-cmd --zone=public --add-port=80/tcp > > More or less a matter of taste how to define things. But you better avoid > causing doubled rules. > > See your "iptables -L -n -v --line" output and you'll find multiple rules > defined 2 times. > > Alexander > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
