Solved How to use firewall-cmd to verify that tcp 80 & 443 is open?
-
If I run
firewall-cmd --list-all-zones
I see the following zones:- block
- dmz
- drop
- public
- trusted
- work
I'm not sure I understand how this works. I mean what is the work zone? Never seen that in any kind real firewall.
Or is this made to look like the "firewall" in windows? Where each network interface belongs to a zone?
-
Well since this is port 80 and 443 you'd likely check the public network.
-
@DustinB3403 said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
Well since this is port 80 and 443 you'd likely check the public network.
How can one be sure? If it's an on-prem server they might as well use the work zone?
-
@Pete-S said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
@DustinB3403 said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
Well since this is port 80 and 443 you'd likely check the public network.
How can one be sure? If it's an on-prem server they might as well use the work zone?
I always use the default zone, so no mucking about with different zones. Using different zones might make sense somewhere, but in today's world of a single service per server instance, it would be the exception that proves the rule.
-
@Pete-S said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
@scottalanmiller said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
@Pete-S said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
It's for troubleshooting instructions so I can't be sure how the firewall was configured in the first place.
This is the command for showing the full configuration of the firewall...
firewall-cmd --list-all
I was looking at that earlier but it only shows one zone. Can there be other that allow incoming connections as well?
Can there be? Yes. Are there typically, no. So that it only shows one is expected.
-
@Pete-S said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
If I run
firewall-cmd --list-all-zones
I see the following zones:- block
- dmz
- drop
- public
- trusted
- work
I'm not sure I understand how this works. I mean what is the work zone? Never seen that in any kind real firewall.
Or is this made to look like the "firewall" in windows? Where each network interface belongs to a zone?
They are just zones with arbitrary names for you to use when you want. They aren't used by default.
-
@Pete-S said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
@DustinB3403 said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
Well since this is port 80 and 443 you'd likely check the public network.
How can one be sure? If it's an on-prem server they might as well use the work zone?
Only the command that I sent can tell you, nothing else has the ability to tell you.
-
@travisdh1 said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
@Pete-S said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
@DustinB3403 said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
Well since this is port 80 and 443 you'd likely check the public network.
How can one be sure? If it's an on-prem server they might as well use the work zone?
I always use the default zone, so no mucking about with different zones. Using different zones might make sense somewhere, but in today's world of a single service per server instance, it would be the exception that proves the rule.
Me too. No system that I have would have more than one active zone. It's good to have the option, but it almost never applies.
-
@scottalanmiller said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
@travisdh1 said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
@Pete-S said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
@DustinB3403 said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
Well since this is port 80 and 443 you'd likely check the public network.
How can one be sure? If it's an on-prem server they might as well use the work zone?
I always use the default zone, so no mucking about with different zones. Using different zones might make sense somewhere, but in today's world of a single service per server instance, it would be the exception that proves the rule.
Me too. No system that I have would have more than one active zone. It's good to have the option, but it almost never applies.
Actually, I've repeatedly mentioned in your posted guides that you specify a zone and you should not.
You always want to use the
firewall-cmd
command without specifying a zone, thus it applies the command to whatever the default zone name is on the instance.This is important as the default zone name can vary based on what ISO an instance is installed from. Something I did not realize until a few years ago when you posted aguide for something and it did not work for me because I ran from the CentOS minimal ISO while you did it from the server ISO.
-
@JaredBusch said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
@scottalanmiller said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
@travisdh1 said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
@Pete-S said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
@DustinB3403 said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
Well since this is port 80 and 443 you'd likely check the public network.
How can one be sure? If it's an on-prem server they might as well use the work zone?
I always use the default zone, so no mucking about with different zones. Using different zones might make sense somewhere, but in today's world of a single service per server instance, it would be the exception that proves the rule.
Me too. No system that I have would have more than one active zone. It's good to have the option, but it almost never applies.
Actually, I've repeatedly mentioned in your posted guides that you specify a zone and you should not.
You always want to use the
firewall-cmd
command without specifying a zone, thus it applies the command to whatever the default zone name is on the instance.This is important as the default zone name can vary based on what ISO an instance is installed from. Something I did not realize until a few years ago when you posted aguide for something and it did not work for me because I ran from the CentOS minimal ISO while you did it from the server ISO.
You make a good point. I did some research and there is one default zone but then there are one or several active zones.
Default zone
The default zone is where rules and interfaces ends up by default and it's the zone used for all commands where you don't specify the zone.
It can be changed with:firewall-cmd --set-default-zone=XXXX
Active zone
The active zones are zones that have an interface or source specified in them. It can be one or several. Find out with:
firewall-cmd --get-active-zones
Interface / source zones
Zones can belong to an interface and/or it can have a source. So if you want to specify a source IP range with some specific rules you have to put that in it's own zone. But if you do so it will show up as an active zone.
Summary
So if you want to be sure which zone to use, you can't rely on the default zone, because it can be set to any zone. Best would be to check which zones that are active and then check out those zones to see what's in them.
-
To complicate further I checked out the official firewalld documentation.
https://firewalld.org/documentation/
There is also a Direct Interface where you can specify rules that will go directly to
iptables
. And will not show up in the regular listings.Firewalld is just a management tool for
iptables
.Which brings me to the probably easiest way to check if the firewall is open or not, is to go to iptables directly.
For instance, list all rules that have destination port 80:
iptables -S | grep "dport 80"
Otherwise using firewalld would be to list everything (
firewall-cmd ---list-all
).
Then look for:- on
services:
look forhttp
andhttps
- on
ports:
look for80/tcp
and443/tcp
and hope no one defined rules using the Direct Interface.
And if you wanted to make sure to only look for permanent rules:
firewall-cmd --permanent --list-all
- on
-
@Pete-S You are over complicating this.
You check with the designated tool for the system as noted.
Either you see it is open or you see it is not.
If something is working but nothing is found, then you have either a compromised system or a snowflake system. Either way the system would need fixed.
-
@JaredBusch said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
@Pete-S You are over complicating this.
You check with the designated tool for the system as noted.
Either you see it is open or you see it is not.
If something is working but nothing is found, then you have either a compromised system or a snowflake system. Either way the system would need fixed.
His concern is that the system wasn't built by him, so he's trying to find every possible source of configuration.
-
Under normal circumstances, you just use the firewall tool and stop at that. If someone did anything else, they are trying to hide things from you. Compare to Windows, you'd not look any further than the Windows firewall if it is running, right? You don't dig for extra tools or registry entries. Could they exist? Of course. If they do, you probably need to rebuild pristine and start over as you have a system you can't really know.
-
Why don't you just look in
/etc/firewalls/zones/
? Each zone has an xml file there, with list of ports and services that are permanently open. -
@marcinozga said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
Why don't you just look in
/etc/firewalls/zones/
? Each zone has an xml file there, with list of ports and services that are permanently open.Because that's way more work and tells him nothing the one line command wouldn't have summarized.
-
@scottalanmiller said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
His concern is that the system wasn't built by him, so he's trying to find every possible source of configuration.
That was not clear to me.
But I would still stand by my statement. You look where it is supposed to be with the default tool. If it is not, then it is a snowflake and you need to rectify that. Snowflakes are bad.
-
@scottalanmiller said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
@JaredBusch said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
@Pete-S You are over complicating this.
You check with the designated tool for the system as noted.
Either you see it is open or you see it is not.
If something is working but nothing is found, then you have either a compromised system or a snowflake system. Either way the system would need fixed.
His concern is that the system wasn't built by him, so he's trying to find every possible source of configuration.
That's correct.
-
You guys are right though. It's complicated looking at every possible way to configure the firewall so it makes sense to test the "normal" way and leave it at that.
One thing that would be nice to have, something that I've used on hardware firewalls, is a command that will simulate packets through the firewall rules to see if they will pass or not.
I've not seen something like that for iptables/netfilter.
-
@Pete-S said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
One thing that would be nice to have, something that I've used on hardware firewalls, is a command that will simulate packets through the firewall rules to see if they will pass or not.
I've not seen something like that for iptables/netfilter.Not sure about simulating, but you can always send packets at it and use iptables -v to see the counters.