0

I have an issue with firewalld where I opened some ports and now want to close them for example I opened tcp/3000 in the public zone and now want to close it. So far I've tried this

firewall-cmd --zone=public --remove-port=3000/tcp
firewall-cmd --runtime-to-permanent
firewall-cmd --reload

after running that, I ran

firewall-cmd --list-all-zones

and it's showing the public zone no longer has that port open

  public (active)
    target: default
    icmp-block-inversion: no
    interfaces: eth0
    sources:
    services: ssh dhcpv6-client http https
    ports: 8080/tcp 500/udp 4500/udp 80/udp 443/udp 7070/udp 5555/tcp 1514/tcp 514/tcp 8086/tcp 8082/tcp 10051/tcp 1514/udp 12201/udp 12201/tcp 514/udp 9200/tcp 5044/tcp 5601/tcp 80/tcp 443/tcp 3306/tcp 5000/tcp 5002/tcp 87/tcp
    protocols:
    masquerade: no
    forward-ports:
    source-ports:
    icmp-blocks:
    rich rules:

However i can still access my grafana instance on that port. From there I tried to run

sudo systemctl restart firewalld

But it's still letting the traffic through.

Kagashe
  • 1
  • 1

1 Answers1

0

I know you flagged --list-all-zones and did not see port 3000/tcp open, but:

1- Just to be sure, can you grep all files in /etc/firewalld/zones/.xml for "3000" ? 2- grep for "3000" in /usr/lib/firewalld/zones/.xml 3- Check the logs 4- Double check if iptables is not running and allowing port 3000

yield
  • 771
  • 1
  • 9
  • 24
  • Ok grepped those xml files and 300 doesn't appear in them, IPtables is running but the rule that used to be there for that port is gone. Below is the output of `iptables --list rules | grep 3000` `-A DOCKER -d 192.168.64.3/32 ! -i br-84fe0b03f189 -o br-84fe0b03f189 -p tcp -m tcp --dport 3000 -j ACCEPT` Seems to be some issues in the log file though. see output of `grep /var/log/firewalld` https://pastebin.com/raw/C7EABXhW – Kagashe Nov 01 '19 at 10:57