Firewalld: cannot block traffic on a given port

Hi all,

According to my configuration (and what I understand of firewalld), traffic should be blocked on all ports except on those I authorize. However, I can still access to many ports that should be blocked, including port 8180 on my server (which is the main issue for me right now).

Here is my configuration:

[root@giskard ~]# firewall-cmd --list-all
FedoraServer (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  services: dhcpv6-client imaps smtp
  ports: 80/tcp 443/tcp 222/tcp 993/tcp
  masquerade: no
  rich rules:

I tried to:

  • Remove /etc/firewalld to restore default configuration without success.
  • Update from fedora 31 to 32.
  • Use rich rules like:
firewall-cmd --add-rich-rule='rule family="ipv6" port port="8180" protocol="tcp" reject'
firewall-cmd --add-rich-rule='rule family="ipv4" port port="8180" protocol="tcp" reject'
  • Change the default target from default to drop or reject. What I find weird is that with default, I get this when I try to see whether the port is opened (I get the answers really quickly):
$ nc -zv -4 8180; nc -zv -6 8180                                           
Connection to 8180 port [tcp/*] succeeded!
nc: connect to port 8180 (tcp) failed: Permission denied
# Checking on a explicitly opened port.
$ nc -zv -4 443; nc -zv -6 443
Connection to 443 port [tcp/https] succeeded!
Connection to 443 port [tcp/https] succeeded!

But when I switch the target to DROP, I get:

# On IP v4
Connection to 443 port [tcp/https] succeeded!
Connection to 8180 port [tcp/*] succeeded!

But I get timeouts on IPv6 as if firewalld was correctly blocking the traffic on IPv6 but somehow failing to do it on IPv4.

Any ideas on where this may come from?