Solved How to use firewall-cmd to verify that tcp 80 & 443 is open?
-
If I wanted to check that a server has tcp port 80 and 443 permanently open for incoming connections, what command(s) should I use?
I'm a bit confused by the multitude of zones and the fact that you can specify ports and services. And that rules are not permanent unless you tell them to be.
It's for troubleshooting instructions so I can't be sure how the firewall was configured in the first place.
-
You can use the following command:
netstat -a -n
-
You'd check firewall-cmd with
firewall-cmd --list-portsAssuming you added them as permanent ports that would be what you need.
-
@ITivan80 said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
You can use the following command:
netstat -a -n
That tells only if services are listening, it is not aware of if the firewall exists or how it is configured.
-
@Pete-S said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
It's for troubleshooting instructions so I can't be sure how the firewall was configured in the first place.
This is the command for showing the full configuration of the firewall...
firewall-cmd --list-all -
@scottalanmiller said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
@Pete-S said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
It's for troubleshooting instructions so I can't be sure how the firewall was configured in the first place.
This is the command for showing the full configuration of the firewall...
firewall-cmd --list-allI was looking at that earlier but it only shows one zone. Can there be other that allow incoming connections as well?
-
@DustinB3403 said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
You'd check firewall-cmd with
firewall-cmd --list-portsAssuming you added them as permanent ports that would be what you need.
Problem is that I don't know how they would be added.
On the machine I'm looking at right now port 80 is open but
firewall-cmd --list-portsshows nothing. -
If I run
firewall-cmd --list-all-zonesI see the following zones:- block
- dmz
- drop
- public
- trusted
- work
I'm not sure I understand how this works. I mean what is the work zone? Never seen that in any kind real firewall.
Or is this made to look like the "firewall" in windows? Where each network interface belongs to a zone?
-
Well since this is port 80 and 443 you'd likely check the public network.
-
@DustinB3403 said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
Well since this is port 80 and 443 you'd likely check the public network.
How can one be sure? If it's an on-prem server they might as well use the work zone?
-
@Pete-S said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
@DustinB3403 said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
Well since this is port 80 and 443 you'd likely check the public network.
How can one be sure? If it's an on-prem server they might as well use the work zone?
I always use the default zone, so no mucking about with different zones. Using different zones might make sense somewhere, but in today's world of a single service per server instance, it would be the exception that proves the rule.
-
@Pete-S said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
@scottalanmiller said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
@Pete-S said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
It's for troubleshooting instructions so I can't be sure how the firewall was configured in the first place.
This is the command for showing the full configuration of the firewall...
firewall-cmd --list-allI was looking at that earlier but it only shows one zone. Can there be other that allow incoming connections as well?
Can there be? Yes. Are there typically, no. So that it only shows one is expected.
-
@Pete-S said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
If I run
firewall-cmd --list-all-zonesI see the following zones:- block
- dmz
- drop
- public
- trusted
- work
I'm not sure I understand how this works. I mean what is the work zone? Never seen that in any kind real firewall.
Or is this made to look like the "firewall" in windows? Where each network interface belongs to a zone?
They are just zones with arbitrary names for you to use when you want. They aren't used by default.
-
@Pete-S said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
@DustinB3403 said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
Well since this is port 80 and 443 you'd likely check the public network.
How can one be sure? If it's an on-prem server they might as well use the work zone?
Only the command that I sent can tell you, nothing else has the ability to tell you.
-
@travisdh1 said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
@Pete-S said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
@DustinB3403 said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
Well since this is port 80 and 443 you'd likely check the public network.
How can one be sure? If it's an on-prem server they might as well use the work zone?
I always use the default zone, so no mucking about with different zones. Using different zones might make sense somewhere, but in today's world of a single service per server instance, it would be the exception that proves the rule.
Me too. No system that I have would have more than one active zone. It's good to have the option, but it almost never applies.
-
@scottalanmiller said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
@travisdh1 said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
@Pete-S said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
@DustinB3403 said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
Well since this is port 80 and 443 you'd likely check the public network.
How can one be sure? If it's an on-prem server they might as well use the work zone?
I always use the default zone, so no mucking about with different zones. Using different zones might make sense somewhere, but in today's world of a single service per server instance, it would be the exception that proves the rule.
Me too. No system that I have would have more than one active zone. It's good to have the option, but it almost never applies.
Actually, I've repeatedly mentioned in your posted guides that you specify a zone and you should not.
You always want to use the
firewall-cmdcommand without specifying a zone, thus it applies the command to whatever the default zone name is on the instance.This is important as the default zone name can vary based on what ISO an instance is installed from. Something I did not realize until a few years ago when you posted aguide for something and it did not work for me because I ran from the CentOS minimal ISO while you did it from the server ISO.
-
@JaredBusch said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
@scottalanmiller said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
@travisdh1 said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
@Pete-S said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
@DustinB3403 said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
Well since this is port 80 and 443 you'd likely check the public network.
How can one be sure? If it's an on-prem server they might as well use the work zone?
I always use the default zone, so no mucking about with different zones. Using different zones might make sense somewhere, but in today's world of a single service per server instance, it would be the exception that proves the rule.
Me too. No system that I have would have more than one active zone. It's good to have the option, but it almost never applies.
Actually, I've repeatedly mentioned in your posted guides that you specify a zone and you should not.
You always want to use the
firewall-cmdcommand without specifying a zone, thus it applies the command to whatever the default zone name is on the instance.This is important as the default zone name can vary based on what ISO an instance is installed from. Something I did not realize until a few years ago when you posted aguide for something and it did not work for me because I ran from the CentOS minimal ISO while you did it from the server ISO.
You make a good point. I did some research and there is one default zone but then there are one or several active zones.
Default zone
The default zone is where rules and interfaces ends up by default and it's the zone used for all commands where you don't specify the zone.
It can be changed with:firewall-cmd --set-default-zone=XXXXActive zone
The active zones are zones that have an interface or source specified in them. It can be one or several. Find out with:
firewall-cmd --get-active-zonesInterface / source zones
Zones can belong to an interface and/or it can have a source. So if you want to specify a source IP range with some specific rules you have to put that in it's own zone. But if you do so it will show up as an active zone.
Summary
So if you want to be sure which zone to use, you can't rely on the default zone, because it can be set to any zone. Best would be to check which zones that are active and then check out those zones to see what's in them.
-
To complicate further I checked out the official firewalld documentation.
https://firewalld.org/documentation/
There is also a Direct Interface where you can specify rules that will go directly to
iptables. And will not show up in the regular listings.Firewalld is just a management tool for
iptables.Which brings me to the probably easiest way to check if the firewall is open or not, is to go to iptables directly.
For instance, list all rules that have destination port 80:
iptables -S | grep "dport 80"Otherwise using firewalld would be to list everything (
firewall-cmd ---list-all).
Then look for:- on
services:look forhttpandhttps - on
ports:look for80/tcpand443/tcp
and hope no one defined rules using the Direct Interface.
And if you wanted to make sure to only look for permanent rules:
firewall-cmd --permanent --list-all - on
-
@Pete-S You are over complicating this.
You check with the designated tool for the system as noted.
Either you see it is open or you see it is not.
If something is working but nothing is found, then you have either a compromised system or a snowflake system. Either way the system would need fixed.
-
@JaredBusch said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
@Pete-S You are over complicating this.
You check with the designated tool for the system as noted.
Either you see it is open or you see it is not.
If something is working but nothing is found, then you have either a compromised system or a snowflake system. Either way the system would need fixed.
His concern is that the system wasn't built by him, so he's trying to find every possible source of configuration.
