Dear Alexander,
Thank you.
Tadao
2017-07-31 1:25 GMT+09:00 Alexander Dalloz ad+lists@uni-x.org:
Am 30.07.2017 um 07:06 schrieb 望月忠雄:
Please teach me one more. By 'firewall-cmd --list' its answer is following.
external (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: dns ftp http https imaps pop3s smtp ssh ports: 110/tcp 21/tcp 20000/tcp 106/tcp 53/tcp 990/tcp 5432/tcp 8447/tcp 113/tcp 143/tcp 3306/tcp 5224/tcp 22/tcp 465/tcp 995/tcp 25/tcp 10000/tcp 8443/tcp 993/tcp 443/tcp 8880/tcp 587/tcp 20/tcp 53/udp 12768/tcp protocols: masquerade: yes forward-ports: sourceports: icmp-blocks: rich rules:
Now I can use http normally. And 'ss -nat' shows 80 ports used.
But in avobe firewalld lists, there's http service, but isn't 80/tcp.port. Must I add 80/tcp.port?
Tadao
Hi,
you can define rule either by using services or ports. You have partly doubled that config by using both a service definition and a port definition. For instance service ssh and port 22/tcp. Same for smtp and port 25.
You find the list of pre-defined services under /usr/lib/firewalld/services/.
To give you an example. You can define
# firewall-cmd --permanent --zone=public --add-service=http
which enables port 80/tcp for the public zone. You can check how the service is defined by
# firewall-cmd --info-service=http
You could achieve the same port opening by issuing
firewall-cmd --zone=public --add-port=80/tcp
More or less a matter of taste how to define things. But you better avoid causing doubled rules.
See your "iptables -L -n -v --line" output and you'll find multiple rules defined 2 times.
Alexander _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos