Hi all,
According to my configuration (and what I understand of firewalld), traffic should be blocked on all ports except on those I authorize. However, I can still access to many ports that should be blocked, including port 8180 on my server (which is the main issue for me right now).
Here is my configuration:
[root@giskard ~]# firewall-cmd --list-all
FedoraServer (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client imaps smtp
ports: 80/tcp 443/tcp 222/tcp 993/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
I tried to:
- Remove
/etc/firewalld
to restore default configuration without success. - Update from fedora 31 to 32.
- Use rich rules like:
firewall-cmd --add-rich-rule='rule family="ipv6" port port="8180" protocol="tcp" reject'
firewall-cmd --add-rich-rule='rule family="ipv4" port port="8180" protocol="tcp" reject'
- Change the default target from
default
todrop
orreject
. What I find weird is that withdefault
, I get this when I try to see whether the port is opened (I get the answers really quickly):
$ nc -zv -4 mydomain.com 8180; nc -zv -6 mydomain.com 8180
Connection to mydomain.com 8180 port [tcp/*] succeeded!
nc: connect to mydomain.com port 8180 (tcp) failed: Permission denied
# Checking on a explicitly opened port.
$ nc -zv -4 mydomain.com 443; nc -zv -6 mydomain.com 443
Connection to mydomain.com 443 port [tcp/https] succeeded!
Connection to mydomain.com 443 port [tcp/https] succeeded!
But when I switch the target to DROP
, I get:
# On IP v4
Connection to mydomain.com 443 port [tcp/https] succeeded!
Connection to mydomain.com 8180 port [tcp/*] succeeded!
But I get timeouts on IPv6 as if firewalld was correctly blocking the traffic on IPv6 but somehow failing to do it on IPv4.
Any ideas on where this may come from?