[CentOS] PostgreSQL port accessible even though it should be blocked by firewall
Gordon Messmer
gordon.messmer at gmail.com
Wed Oct 31 17:32:57 UTC 2018
On 10/30/18 8:31 AM, Frank Thommen wrote:
> I am still puzzled that it is possible to circumvent firewalld so
> easily. Basically it means, that firewalld is not to be trusted as
> soon as containers with port forwarding are running on a system.
It's hard to see this as a security or trust problem. The root user can
modify the firewall, which is provided by the kernel. firewalld is just
a front-end. Adding rules to the kernel's firewall is not
"circumventing" the management front-end.
You do have to bear in mind that the firewall-cmd output reflects the
*configuration* and not the *state*. When docker adds rules, it
modifies the state, but not the configuration.
More information about the CentOS
mailing list