On CentOS7 I have following firewalld setting.
external (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: dns ftp http https imaps pop3s smtp ssh ports: 110/tcp 21/tcp 20000/tcp 106/tcp 53/tcp 990/tcp 5432/tcp 8447/tcp 113/tcp 143/tcp 3306/tcp 5224/tcp 22/tcp 465/tcp 995/tcp 25/tcp 10000/tcp 8443/tcp 993/tcp 443/tcp 8880/tcp 587/tcp 20/tcp 53/udp 12768/tcp protocols: masquerade: yes forward-ports: sourceports: icmp-blocks: rich rules:
But by ss -nat, IPV4 443 is not listend. How can I fix?
# ss -nat | grep LISTEN | grep 443 LISTEN 0 128 :::443 :::*
Tadao
On Jul 27, 2017, at 9:36 PM, 望月忠雄 tadao@creative-japan.org wrote:
On CentOS7 I have following firewalld setting.
external (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: dns ftp http https imaps pop3s smtp ssh ports: 110/tcp 21/tcp 20000/tcp 106/tcp 53/tcp 990/tcp 5432/tcp 8447/tcp 113/tcp 143/tcp 3306/tcp 5224/tcp 22/tcp 465/tcp 995/tcp 25/tcp 10000/tcp 8443/tcp 993/tcp 443/tcp 8880/tcp 587/tcp 20/tcp 53/udp 12768/tcp protocols: masquerade: yes forward-ports: sourceports: icmp-blocks: rich rules:
But by ss -nat, IPV4 443 is not listend. How can I fix?
# ss -nat | grep LISTEN | grep 443 LISTEN 0 128 :::443 :::*
Just because the firewall is open doesn’t mean the process listening on port 443 has to be running. It looks like your HTTPD server (I assume apache httpd?) isn’t listening on ipv4. This is not a firewall problem, but a configuration problem for the web server.
-- Jonathan Billings billings@negate.org
Dear Jonathan,
Thank you.
Apache is running. And I can access by https(IPV4 443). Please tell me which configuration I need to check.
Tadao
2017-07-28 10:52 GMT+09:00 Jonathan Billings billings@negate.org:
On Jul 27, 2017, at 9:36 PM, 望月忠雄 tadao@creative-japan.org wrote:
On CentOS7 I have following firewalld setting.
external (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: dns ftp http https imaps pop3s smtp ssh ports: 110/tcp 21/tcp 20000/tcp 106/tcp 53/tcp 990/tcp 5432/tcp 8447/tcp 113/tcp 143/tcp 3306/tcp 5224/tcp 22/tcp 465/tcp 995/tcp 25/tcp 10000/tcp 8443/tcp 993/tcp 443/tcp 8880/tcp 587/tcp 20/tcp 53/udp 12768/tcp protocols: masquerade: yes forward-ports: sourceports: icmp-blocks: rich rules:
But by ss -nat, IPV4 443 is not listend. How can I fix?
# ss -nat | grep LISTEN | grep 443 LISTEN 0 128 :::443 :::*
Just because the firewall is open doesn’t mean the process listening on port 443 has to be running. It looks like your HTTPD server (I assume apache httpd?) isn’t listening on ipv4. This is not a firewall problem, but a configuration problem for the web server.
-- Jonathan Billings billings@negate.org
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On 07/27/2017 06:36 PM, 望月忠雄 wrote:
But by ss -nat, IPV4 443 is not listend. How can I fix?
# ss -nat | grep LISTEN | grep 443 LISTEN 0 128 :::443 :::*
By default, Linux processes that listen on an IPv6 port will also listen on the IPv4 port (when no specific address is specified):
http://man7.org/linux/man-pages/man7/ipv6.7.html
You could change that behavior by modifying /proc/sys/net/ipv6/bindv6only, but your system is working normally now.
Dear Gordon Messmer,
Thank you.
Please teach me one more. By 'firewall-cmd --list' its answer is following.
external (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: dns ftp http https imaps pop3s smtp ssh ports: 110/tcp 21/tcp 20000/tcp 106/tcp 53/tcp 990/tcp 5432/tcp 8447/tcp 113/tcp 143/tcp 3306/tcp 5224/tcp 22/tcp 465/tcp 995/tcp 25/tcp 10000/tcp 8443/tcp 993/tcp 443/tcp 8880/tcp 587/tcp 20/tcp 53/udp 12768/tcp protocols: masquerade: yes forward-ports: sourceports: icmp-blocks: rich rules:
Now I can use http normally. And 'ss -nat' shows 80 ports used.
But in avobe firewalld lists, there's http service, but isn't 80/tcp.port. Must I add 80/tcp.port?
Tadao
2017-07-28 11:29 GMT+09:00 Gordon Messmer gordon.messmer@gmail.com:
On 07/27/2017 06:36 PM, 望月忠雄 wrote:
But by ss -nat, IPV4 443 is not listend. How can I fix?
# ss -nat | grep LISTEN | grep 443 LISTEN 0 128 :::443 :::*
By default, Linux processes that listen on an IPv6 port will also listen on the IPv4 port (when no specific address is specified):
http://man7.org/linux/man-pages/man7/ipv6.7.html
You could change that behavior by modifying /proc/sys/net/ipv6/bindv6only, but your system is working normally now.
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Am 30.07.2017 um 07:06 schrieb 望月忠雄:
Please teach me one more. By 'firewall-cmd --list' its answer is following.
external (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: dns ftp http https imaps pop3s smtp ssh ports: 110/tcp 21/tcp 20000/tcp 106/tcp 53/tcp 990/tcp 5432/tcp 8447/tcp 113/tcp 143/tcp 3306/tcp 5224/tcp 22/tcp 465/tcp 995/tcp 25/tcp 10000/tcp 8443/tcp 993/tcp 443/tcp 8880/tcp 587/tcp 20/tcp 53/udp 12768/tcp protocols: masquerade: yes forward-ports: sourceports: icmp-blocks: rich rules:
Now I can use http normally. And 'ss -nat' shows 80 ports used.
But in avobe firewalld lists, there's http service, but isn't 80/tcp.port. Must I add 80/tcp.port?
Tadao
Hi,
you can define rule either by using services or ports. You have partly doubled that config by using both a service definition and a port definition. For instance service ssh and port 22/tcp. Same for smtp and port 25.
You find the list of pre-defined services under /usr/lib/firewalld/services/.
To give you an example. You can define
# firewall-cmd --permanent --zone=public --add-service=http
which enables port 80/tcp for the public zone. You can check how the service is defined by
# firewall-cmd --info-service=http
You could achieve the same port opening by issuing
firewall-cmd --zone=public --add-port=80/tcp
More or less a matter of taste how to define things. But you better avoid causing doubled rules.
See your "iptables -L -n -v --line" output and you'll find multiple rules defined 2 times.
Alexander
Dear Alexander,
Thank you.
Tadao
2017-07-31 1:25 GMT+09:00 Alexander Dalloz ad+lists@uni-x.org:
Am 30.07.2017 um 07:06 schrieb 望月忠雄:
Please teach me one more. By 'firewall-cmd --list' its answer is following.
external (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: dns ftp http https imaps pop3s smtp ssh ports: 110/tcp 21/tcp 20000/tcp 106/tcp 53/tcp 990/tcp 5432/tcp 8447/tcp 113/tcp 143/tcp 3306/tcp 5224/tcp 22/tcp 465/tcp 995/tcp 25/tcp 10000/tcp 8443/tcp 993/tcp 443/tcp 8880/tcp 587/tcp 20/tcp 53/udp 12768/tcp protocols: masquerade: yes forward-ports: sourceports: icmp-blocks: rich rules:
Now I can use http normally. And 'ss -nat' shows 80 ports used.
But in avobe firewalld lists, there's http service, but isn't 80/tcp.port. Must I add 80/tcp.port?
Tadao
Hi,
you can define rule either by using services or ports. You have partly doubled that config by using both a service definition and a port definition. For instance service ssh and port 22/tcp. Same for smtp and port 25.
You find the list of pre-defined services under /usr/lib/firewalld/services/.
To give you an example. You can define
# firewall-cmd --permanent --zone=public --add-service=http
which enables port 80/tcp for the public zone. You can check how the service is defined by
# firewall-cmd --info-service=http
You could achieve the same port opening by issuing
firewall-cmd --zone=public --add-port=80/tcp
More or less a matter of taste how to define things. But you better avoid causing doubled rules.
See your "iptables -L -n -v --line" output and you'll find multiple rules defined 2 times.
Alexander _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
-
Alexander Dalloz -
Gordon Messmer -
Jonathan Billings -
望月忠雄