[CentOS] PostgreSQL port accessible even though it should be blocked by firewall

Wed Oct 31 17:32:57 UTC 2018
Gordon Messmer <gordon.messmer at gmail.com>

On 10/30/18 8:31 AM, Frank Thommen wrote:
> I am still puzzled that it is possible to circumvent firewalld so 
> easily.  Basically it means, that firewalld is not to be trusted as 
> soon as containers with port forwarding are running on a system. 

It's hard to see this as a security or trust problem.  The root user can 
modify the firewall, which is provided by the kernel. firewalld is just 
a front-end.  Adding rules to the kernel's firewall is not 
"circumventing" the management front-end.

You do have to bear in mind that the firewall-cmd output reflects the 
*configuration* and not the *state*.  When docker adds rules, it 
modifies the state, but not the configuration.