[CentOS] PostgreSQL port accessible even though it should be blocked by firewall

Thu Nov 1 12:48:37 UTC 2018
Frank Thommen <list.centos at drosera.ch>

On 31/10/18 18:32, Gordon Messmer wrote:
> On 10/30/18 8:31 AM, Frank Thommen wrote:
>> I am still puzzled that it is possible to circumvent firewalld so 
>> easily.  Basically it means, that firewalld is not to be trusted as 
>> soon as containers with port forwarding are running on a system. 
> It's hard to see this as a security or trust problem.  The root user can 
> modify the firewall, which is provided by the kernel. firewalld is just 
> a front-end.  Adding rules to the kernel's firewall is not 
> "circumventing" the management front-end.
> You do have to bear in mind that the firewall-cmd output reflects the 
> *configuration* and not the *state*.  When docker adds rules, it 
> modifies the state, but not the configuration.

I see that (=have learned that :-) now, but for me it means, that 
firewalld-cmd is not to be trusted (even though it is the recommended 
tool to manage the local firewall).  I'll have to go back and try to 
understand confusing and hard-to-understand iptables output. :-(