0

I had firewalld rules that opened a port, but the port was still closed.

I changed up the order of my rules and it started working- dont understand why.

This is what I had before:

cat /etc/firewalld/direct.xml
<?xml version="1.0" encoding="utf-8"?>
<direct>

  <rule priority="50" table="filter" ipv="ipv4" chain="INPUT">-p ipv4-icmp -m comment --comment ipv4_icmp -j ACCEPT</rule>
  <rule priority="50" table="filter" ipv="ipv6" chain="INPUT">-p ipv6-icmp -m comment --comment ipv6_icmp -j ACCEPT</rule>

  <rule priority="50" table="filter" ipv="ipv4" chain="INPUT">-p tcp -m tcp -m multiport --dports 22 -m comment --comment 'Allow SSH' -j ACCEPT</rule>
  <rule priority="50" table="filter" ipv="ipv6" chain="INPUT">-p tcp -m tcp -m multiport --dports 22 -m comment --comment 'Allow SSH' -j ACCEPT</rule>

  <rule priority="50" table="filter" ipv="ipv4" chain="INPUT">-m state --state RELATED,ESTABLISHED -m comment --comment established -j ACCEPT</rule>
  <rule priority="50" table="filter" ipv="ipv6" chain="INPUT">-m state --state RELATED,ESTABLISHED -m comment --comment established -j ACCEPT</rule>

  <rule priority="50" table="filter" ipv="ipv4" chain="INPUT">-p tcp -m tcp -m multiport --dports 5000:5200 -m comment --comment 'my app' -j ACCEPT</rule>
  <rule priority="50" table="filter" ipv="ipv6" chain="INPUT">-p tcp -m tcp -m multiport --dports 5000:5200 -m comment --comment 'my app' -j ACCEPT</rule>

</direct>

Now ports 5000-5200 were not open and I could not access them

Then I changed the order to this and it started working:

cat /etc/firewalld/direct.xml
<?xml version="1.0" encoding="utf-8"?>
<direct>
  <rule priority="50" table="filter" ipv="ipv4" chain="INPUT">-p tcp -m tcp -m multiport --dports 5000:5200 -m comment --comment 'my app' -j ACCEPT</rule>
  <rule priority="50" table="filter" ipv="ipv6" chain="INPUT">-p tcp -m tcp -m multiport --dports 5000:5200 -m comment --comment 'my app' -j ACCEPT</rule>

  <rule priority="50" table="filter" ipv="ipv4" chain="INPUT">-p ipv4-icmp -m comment --comment ipv4_icmp -j ACCEPT</rule>
  <rule priority="50" table="filter" ipv="ipv6" chain="INPUT">-p ipv6-icmp -m comment --comment ipv6_icmp -j ACCEPT</rule>

  <rule priority="50" table="filter" ipv="ipv4" chain="INPUT">-p tcp -m tcp -m multiport --dports 22 -m comment --comment 'Allow SSH' -j ACCEPT</rule>
  <rule priority="50" table="filter" ipv="ipv6" chain="INPUT">-p tcp -m tcp -m multiport --dports 22 -m comment --comment 'Allow SSH' -j ACCEPT</rule>

  <rule priority="50" table="filter" ipv="ipv4" chain="INPUT">-m state --state RELATED,ESTABLISHED -m comment --comment established -j ACCEPT</rule>
  <rule priority="50" table="filter" ipv="ipv6" chain="INPUT">-m state --state RELATED,ESTABLISHED -m comment --comment established -j ACCEPT</rule>

</direct>

Why it do dat?

red888
  • 4,183
  • 18
  • 64
  • 111

1 Answers1

0

You only have ACCEPT rules, so they order should not make any difference. Rather, have you restarted/reloaded firewalld? In this case, it is possible that your previous rules where marked as permanent (so they were saved to disk) but not as runtime (so they where not currently applied).

shodanshok
  • 47,711
  • 7
  • 111
  • 180
  • I thought that it wouldn't matter but it seemed to. Restarted but that didn't work, it only worked when I changed the order- and then restarted. But I never did a reload so maybe modifying the file forces a service reload? – red888 Apr 22 '17 at 10:33