[CentOS] firewalld and LISTEN

[望月忠雄]

Dear Alexander,

Thank you.

Tadao


2017-07-31 1:25 GMT+09:00 Alexander Dalloz <ad+lists at uni-x.org>:

> Am 30.07.2017 um 07:06 schrieb 望月忠雄:
>
>> Please teach me one more.
>> By 'firewall-cmd --list' its answer is following.
>>
>> external (active)
>>    target: default
>>    icmp-block-inversion: no
>>    interfaces: eth0
>>    sources:
>>    services: dns ftp http https imaps pop3s smtp ssh
>>    ports: 110/tcp 21/tcp 20000/tcp 106/tcp 53/tcp 990/tcp 5432/tcp
>> 8447/tcp
>> 113/tcp 143/tcp 3306/tcp 5224/tcp 22/tcp 465/tcp 995/tcp 25/tcp 10000/tcp
>> 8443/tcp 993/tcp 443/tcp 8880/tcp 587/tcp 20/tcp 53/udp 12768/tcp
>>    protocols:
>>    masquerade: yes
>>    forward-ports:
>>    sourceports:
>>    icmp-blocks:
>>    rich rules:
>>
>> Now I can use http normally.
>> And 'ss -nat' shows 80 ports used.
>>
>> But in avobe firewalld lists, there's  http service, but isn't
>> 80/tcp.port.
>> Must I add 80/tcp.port?
>>
>> Tadao
>>
>
> Hi,
>
> you can define rule either by using services or ports. You have partly
> doubled that config by using both a service definition and a port
> definition. For instance service ssh and port 22/tcp. Same for smtp and
> port 25.
>
> You find the list of pre-defined services under
> /usr/lib/firewalld/services/.
>
> To give you an example. You can define
>
> # firewall-cmd --permanent --zone=public --add-service=http
>
> which enables port 80/tcp for the public zone. You can check how the
> service is defined by
>
> # firewall-cmd --info-service=http
>
> You could achieve the same port opening by issuing
>
> firewall-cmd --zone=public --add-port=80/tcp
>
> More or less a matter of taste how to define things. But you better avoid
> causing doubled rules.
>
> See your "iptables -L -n -v --line" output and you'll find multiple rules
> defined 2 times.
>
> Alexander
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>