0

I want to close all ports but 22 on interface enp0s3. I have netcat listening on port 1234 for testing purposes. Here's where I'm stuck:

$ sudo firewall-cmd --state
running

$ sudo firewall-cmd --zone=drop --list-all
drop (default, active)
  interfaces: enp0s3
  sources: 
  services: ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 

$ nmap 10.0.2.15
Starting Nmap 6.40 ( http://nmap.org ) at 2016-02-24 06:36 UTC
Nmap scan report for 10.0.2.15
Host is up (0.00099s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
1234/tcp open  hotline

As you can see, nmap shows port 1234 as open, but I have added the interface to the drop zone in firewalld. What have I missed?

Christoffer Reijer
  • 417
  • 1
  • 4
  • 16

1 Answers1

1

You've tried to do something which is such an amazingly bad idea that firewalld simply will not let you do it.

By default, an input rule allowing all traffic from localhost appears very early in the firewall, and takes priority over all user-defined rules. It is not made visible in firewalld's CLI tools, and cannot be changed or removed using them.

It's theoretically possible that you may have a real need to do this, but it's extraordinarily unlikely (and note well that you may think you have a real need, and actually do not). Firewalling localhost is a great way to break your entire system, as many many programs rely on localhost communications, which is why you can't easily undo this.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • Ok, argument accepted. It seems however that the issue remains for other interfaces as well. So I've changed the text to focus on the other interface. – Christoffer Reijer Feb 24 '16 at 06:34