Update: after commenting out the line in /etc/hosts that is kinda like
#127.0.1.1 my-host.domain.edu my-host
and rebooting, the firewall does open the expected ports. I thought to do this because, during testing with the firewall down, binding to host '' was able to accept connections, but binding to the host my-host did not (because that was only binding to 127.0.1.1, not my external address).
I do not understand why this should change how firewalld acts, especially when I had specified which interface the rules should apply to.
Original post:
I have a Debian 11 server (not running NetworkManager) that I am attempting to open ports on using firewalld, using the same commands I have used successfully on other machines, and running them with and without --permanent. I can see these rules in nft list ruleset. But I cannot access the servers on this machine; VNC Viewer says "The connection was refused by the computer", and I get the same result when running a python echo server on port 11000 (so it's not just a VNC problem). I tried explicitly adding the interface to firewalld but that didn't change anything. I have rebooted the machine, that did not change anything. Why are these ports not open?
:~> sudo firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp4s0f0
sources:
services: dhcpv6-client http https ldap ldaps nfs postgresql rsyncd ssh vnc-server
ports: 1024-65535/tcp 1024-65535/udp
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
:~> sudo nft list table inet firewalld
table inet firewalld {
chain raw_PREROUTING {
type filter hook prerouting priority raw + 10; policy accept;
icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
meta nfproto ipv6 fib saddr . iif oif missing drop
}
chain mangle_PREROUTING {
type filter hook prerouting priority mangle + 10; policy accept;
jump mangle_PREROUTING_POLICIES_pre
jump mangle_PREROUTING_ZONES
jump mangle_PREROUTING_POLICIES_post
}
chain mangle_PREROUTING_POLICIES_pre {
jump mangle_PRE_policy_allow-host-ipv6
}
chain mangle_PREROUTING_ZONES {
iifname "enp4s0f0" goto mangle_PRE_public
goto mangle_PRE_public
}
chain mangle_PREROUTING_POLICIES_post {
}
chain filter_INPUT {
type filter hook input priority filter + 10; policy accept;
ct state { established, related } accept
ct status dnat accept
iifname "lo" accept
jump filter_INPUT_POLICIES_pre
jump filter_INPUT_ZONES
jump filter_INPUT_POLICIES_post
ct state { invalid } drop
reject with icmpx type admin-prohibited
}
chain filter_FORWARD {
type filter hook forward priority filter + 10; policy accept;
ct state { established, related } accept
ct status dnat accept
iifname "lo" accept
ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable
jump filter_FORWARD_POLICIES_pre
jump filter_FORWARD_IN_ZONES
jump filter_FORWARD_OUT_ZONES
jump filter_FORWARD_POLICIES_post
ct state { invalid } drop
reject with icmpx type admin-prohibited
}
chain filter_OUTPUT {
type filter hook output priority filter + 10; policy accept;
oifname "lo" accept
ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable
jump filter_OUTPUT_POLICIES_pre
jump filter_OUTPUT_POLICIES_post
}
chain filter_INPUT_POLICIES_pre {
jump filter_IN_policy_allow-host-ipv6
}
chain filter_INPUT_ZONES {
iifname "enp4s0f0" goto filter_IN_public
goto filter_IN_public
}
chain filter_INPUT_POLICIES_post {
}
chain filter_FORWARD_POLICIES_pre {
}
chain filter_FORWARD_IN_ZONES {
iifname "enp4s0f0" goto filter_FWDI_public
goto filter_FWDI_public
}
chain filter_FORWARD_OUT_ZONES {
oifname "enp4s0f0" goto filter_FWDO_public
goto filter_FWDO_public
}
chain filter_FORWARD_POLICIES_post {
}
chain filter_OUTPUT_POLICIES_pre {
}
chain filter_OUTPUT_POLICIES_post {
}
chain filter_IN_public {
jump filter_IN_public_pre
jump filter_IN_public_log
jump filter_IN_public_deny
jump filter_IN_public_allow
jump filter_IN_public_post
meta l4proto { icmp, ipv6-icmp } accept
}
chain filter_IN_public_pre {
}
chain filter_IN_public_log {
}
chain filter_IN_public_deny {
}
chain filter_IN_public_allow {
tcp dport 22 ct state { new, untracked } accept
ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept
tcp dport 80 ct state { new, untracked } accept
tcp dport 443 ct state { new, untracked } accept
tcp dport 389 ct state { new, untracked } accept
tcp dport 636 ct state { new, untracked } accept
tcp dport 2049 ct state { new, untracked } accept
tcp dport 5432 ct state { new, untracked } accept
tcp dport 873 ct state { new, untracked } accept
udp dport 873 ct state { new, untracked } accept
tcp dport 5900-5903 ct state { new, untracked } accept
tcp dport 1024-65535 ct state { new, untracked } accept
udp dport 1024-65535 ct state { new, untracked } accept
}
chain filter_IN_public_post {
}
chain filter_FWDO_public {
jump filter_FWDO_public_pre
jump filter_FWDO_public_log
jump filter_FWDO_public_deny
jump filter_FWDO_public_allow
jump filter_FWDO_public_post
}
chain filter_FWDO_public_pre {
}
chain filter_FWDO_public_log {
}
chain filter_FWDO_public_deny {
}
chain filter_FWDO_public_allow {
}
chain filter_FWDO_public_post {
}
chain filter_FWDI_public {
jump filter_FWDI_public_pre
jump filter_FWDI_public_log
jump filter_FWDI_public_deny
jump filter_FWDI_public_allow
jump filter_FWDI_public_post
meta l4proto { icmp, ipv6-icmp } accept
}
chain filter_FWDI_public_pre {
}
chain filter_FWDI_public_log {
}
chain filter_FWDI_public_deny {
}
chain filter_FWDI_public_allow {
}
chain filter_FWDI_public_post {
}
chain mangle_PRE_public {
jump mangle_PRE_public_pre
jump mangle_PRE_public_log
jump mangle_PRE_public_deny
jump mangle_PRE_public_allow
jump mangle_PRE_public_post
}
chain mangle_PRE_public_pre {
}
chain mangle_PRE_public_log {
}
chain mangle_PRE_public_deny {
}
chain mangle_PRE_public_allow {
}
chain mangle_PRE_public_post {
}
chain filter_IN_policy_allow-host-ipv6 {
jump filter_IN_policy_allow-host-ipv6_pre
jump filter_IN_policy_allow-host-ipv6_log
jump filter_IN_policy_allow-host-ipv6_deny
jump filter_IN_policy_allow-host-ipv6_allow
jump filter_IN_policy_allow-host-ipv6_post
}
chain filter_IN_policy_allow-host-ipv6_pre {
}
chain filter_IN_policy_allow-host-ipv6_log {
}
chain filter_IN_policy_allow-host-ipv6_deny {
}
chain filter_IN_policy_allow-host-ipv6_allow {
icmpv6 type nd-neighbor-advert accept
icmpv6 type nd-neighbor-solicit accept
icmpv6 type nd-router-advert accept
icmpv6 type nd-redirect accept
}
chain filter_IN_policy_allow-host-ipv6_post {
}
chain mangle_PRE_policy_allow-host-ipv6 {
jump mangle_PRE_policy_allow-host-ipv6_pre
jump mangle_PRE_policy_allow-host-ipv6_log
jump mangle_PRE_policy_allow-host-ipv6_deny
jump mangle_PRE_policy_allow-host-ipv6_allow
jump mangle_PRE_policy_allow-host-ipv6_post
}
chain mangle_PRE_policy_allow-host-ipv6_pre {
}
chain mangle_PRE_policy_allow-host-ipv6_log {
}
chain mangle_PRE_policy_allow-host-ipv6_deny {
}
chain mangle_PRE_policy_allow-host-ipv6_allow {
}
chain mangle_PRE_policy_allow-host-ipv6_post {
}
}
