Solved How to use firewall-cmd to verify that tcp 80 & 443 is open?
-
To complicate further I checked out the official firewalld documentation.
https://firewalld.org/documentation/
There is also a Direct Interface where you can specify rules that will go directly to
iptables. And will not show up in the regular listings.Firewalld is just a management tool for
iptables.Which brings me to the probably easiest way to check if the firewall is open or not, is to go to iptables directly.
For instance, list all rules that have destination port 80:
iptables -S | grep "dport 80"Otherwise using firewalld would be to list everything (
firewall-cmd ---list-all).
Then look for:- on
services:look forhttpandhttps - on
ports:look for80/tcpand443/tcp
and hope no one defined rules using the Direct Interface.
And if you wanted to make sure to only look for permanent rules:
firewall-cmd --permanent --list-all - on
-
@Pete-S You are over complicating this.
You check with the designated tool for the system as noted.
Either you see it is open or you see it is not.
If something is working but nothing is found, then you have either a compromised system or a snowflake system. Either way the system would need fixed.
-
@JaredBusch said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
@Pete-S You are over complicating this.
You check with the designated tool for the system as noted.
Either you see it is open or you see it is not.
If something is working but nothing is found, then you have either a compromised system or a snowflake system. Either way the system would need fixed.
His concern is that the system wasn't built by him, so he's trying to find every possible source of configuration.
-
Under normal circumstances, you just use the firewall tool and stop at that. If someone did anything else, they are trying to hide things from you. Compare to Windows, you'd not look any further than the Windows firewall if it is running, right? You don't dig for extra tools or registry entries. Could they exist? Of course. If they do, you probably need to rebuild pristine and start over as you have a system you can't really know.
-
Why don't you just look in
/etc/firewalls/zones/? Each zone has an xml file there, with list of ports and services that are permanently open. -
@marcinozga said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
Why don't you just look in
/etc/firewalls/zones/? Each zone has an xml file there, with list of ports and services that are permanently open.Because that's way more work and tells him nothing the one line command wouldn't have summarized.
-
@scottalanmiller said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
His concern is that the system wasn't built by him, so he's trying to find every possible source of configuration.
That was not clear to me.
But I would still stand by my statement. You look where it is supposed to be with the default tool. If it is not, then it is a snowflake and you need to rectify that. Snowflakes are bad.
-
@scottalanmiller said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
@JaredBusch said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
@Pete-S You are over complicating this.
You check with the designated tool for the system as noted.
Either you see it is open or you see it is not.
If something is working but nothing is found, then you have either a compromised system or a snowflake system. Either way the system would need fixed.
His concern is that the system wasn't built by him, so he's trying to find every possible source of configuration.
That's correct.
-
You guys are right though. It's complicated looking at every possible way to configure the firewall so it makes sense to test the "normal" way and leave it at that.
One thing that would be nice to have, something that I've used on hardware firewalls, is a command that will simulate packets through the firewall rules to see if they will pass or not.
I've not seen something like that for iptables/netfilter.
-
@Pete-S said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:
One thing that would be nice to have, something that I've used on hardware firewalls, is a command that will simulate packets through the firewall rules to see if they will pass or not.
I've not seen something like that for iptables/netfilter.Not sure about simulating, but you can always send packets at it and use iptables -v to see the counters.
