Linux firewalld - I can hit port 4506, but my configuration shouldn't let me The 2019 Stack Overflow Developer Survey Results Are Iniptables port forward forwardingif I put accept all 0.0.0.0/0 means this server is totally open for any ip?Unable to make outbound SNMP connections when IPTables is enabledNAT KVM Guest and Route All Guest Traffic to Host VPNC ConnectionForward http traffic to another ip address with iptablesTrying to make iptables stateless is causing unforeseen filteringHow to establish firewall rules that accepting 11211 port in intranet for memcached ( Fedora)?FTP port closed for vsftpd servicefail2ban running on CentOS 7 & getting “ssh connection refused”openvpn: can't manage to control client-to-client connections with iptables

Geography at the pixel level

Why Did Howard Stark Use All The Vibranium They Had On A Prototype Shield?

What does "sndry explns" mean in one of the Hitchhiker's guide books?

Springs with some finite mass

Manuscript was "unsubmitted" because the manuscript was deposited in Arxiv Preprints

How can I create a character who can assume the widest possible range of creature sizes?

Confusion about non-derivable continuous functions

"What time...?" or "At what time...?" - what is more grammatically correct?

Can we apply L'Hospital's rule where the derivative is not continuous?

Landlord wants to switch my lease to a "Land contract" to "get back at the city"

What does "rabbited" mean/imply in this sentence?

How to manage monthly salary

Is "plugging out" electronic devices an American expression?

Why could you hear an Amstrad CPC working?

Where does the "burst of radiance" from Holy Weapon originate?

Why isn't airport relocation done gradually?

Should I use my personal or workplace e-mail when registering to external websites for work purpose?

What is this 4-propeller plane?

What is a mixture ratio of propellant?

is usb on wall sockets live all the time with out switches off

aging parents with no investments

Spanish for "widget"

What is the meaning of Triage in Cybersec world?

Can't find the latex code for the ⍎ (down tack jot) symbol



Linux firewalld - I can hit port 4506, but my configuration shouldn't let me



The 2019 Stack Overflow Developer Survey Results Are Iniptables port forward forwardingif I put accept all 0.0.0.0/0 means this server is totally open for any ip?Unable to make outbound SNMP connections when IPTables is enabledNAT KVM Guest and Route All Guest Traffic to Host VPNC ConnectionForward http traffic to another ip address with iptablesTrying to make iptables stateless is causing unforeseen filteringHow to establish firewall rules that accepting 11211 port in intranet for memcached ( Fedora)?FTP port closed for vsftpd servicefail2ban running on CentOS 7 & getting “ssh connection refused”openvpn: can't manage to control client-to-client connections with iptables



.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








2















Not sure what I've got wrong here. I don't see port 4506 open in this configuration, but I'm able to telnet to it from a remote machine on the 156.9.122 subnet. What am I doing wrong?



# firewall-cmd --list-all-zones




firewall-cmd --list-all-zones
block
 target: %%REJECT%%
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: 
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


dmz
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: ssh
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


drop
 target: DROP
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: 
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


external
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: ssh
 ports: 
 protocols: 
 masquerade: yes
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


home
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: ssh mdns samba-client dhcpv6-client
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


internal
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: ssh mdns samba-client dhcpv6-client
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


public (active)
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 156.9.122.0/24
 services: http https ntp dhcpv6-client kerberos ldaps ssh dns ldap
 ports: 443/tcp 7902/tcp 8014/tcp 7903/tcp 8089/tcp 463/tcp 7899/tcp 7898/tcp 7900/tcp 52311/udp 80/tcp 7901/tcp 1584/tcp 1585/tcp 463/udp 22/tcp
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


trusted
 target: ACCEPT
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: 
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


work
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: ssh dhcpv6-client
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules:


# iptables -nvL




Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination 
28874 7345K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
 205 36869 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 
 117 12145 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 
 112 11773 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
 21 4809 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination 
 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 
 0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 29114 packets, 7722K bytes)
 pkts bytes target prot opt in out source destination 
29114 7722K OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 

Chain FORWARD_IN_ZONES (1 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDI_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto] 

Chain FORWARD_IN_ZONES_SOURCE (1 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDI_public all -- * * 156.9.122.0/24 0.0.0.0/0 [goto] 

Chain FORWARD_OUT_ZONES (1 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDO_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto] 

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDO_public all -- * * 0.0.0.0/0 156.9.122.0/24 [goto] 

Chain FORWARD_direct (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDI_public (2 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDI_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FWDI_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FWDI_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 

Chain FWDI_public_allow (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDI_public_deny (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDI_public_log (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDO_public (2 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDO_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FWDO_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FWDO_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 

Chain FWDO_public_allow (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDO_public_deny (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDO_public_log (1 references)
 pkts bytes target prot opt in out source destination 

Chain INPUT_ZONES (1 references)
 pkts bytes target prot opt in out source destination 
 112 11773 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto] 

Chain INPUT_ZONES_SOURCE (1 references)
 pkts bytes target prot opt in out source destination 
 5 372 IN_public all -- * * 156.9.122.0/24 0.0.0.0/0 [goto] 

Chain INPUT_direct (1 references)
 pkts bytes target prot opt in out source destination 

Chain IN_public (2 references)
 pkts bytes target prot opt in out source destination 
 117 12145 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 
 3 252 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 

Chain IN_public_allow (1 references)
 pkts bytes target prot opt in out source destination 
 93 7084 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 25/min burst 100
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW
 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:88 ctstate NEW
 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:88 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:636 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 ctstate NEW
 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:389 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7902 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8014 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7903 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8089 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:463 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7899 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7898 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7900 ctstate NEW
 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:52311 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7901 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1584 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1585 ctstate NEW
 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:463 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW

Chain IN_public_deny (1 references)
 pkts bytes target prot opt in out source destination 

Chain IN_public_log (1 references)
 pkts bytes target prot opt in out source destination 

Chain OUTPUT_direct (1 references)
 pkts bytes target prot opt in out source destination





linux centos7 firewalld







share|improve this question



















  • 1





    Did someone manually alter the firewall? Check with iptables -nvL

    – Michael Hampton
    Apr 5 at 18:15











  • @Michael Hampton - Added the output to my question, but I'm not sure what to look for. I did not install this OS, so it's possible it was changed manually.

    – Adam vonNieda
    Apr 5 at 18:18






  • 1





    I see nothing here that would allow incoming traffic to port 4506. Exactly how are you testing this?

    – Michael Hampton
    Apr 5 at 18:21











  • A simple "telnet <hostname> 4506" from a Windows machine

    – Adam vonNieda
    Apr 5 at 18:21











  • I've also done a tcpdump on the server to validate that I am in fact hitting that port on that server. I did see traffic over port 4506.

    – Adam vonNieda
    Apr 5 at 18:50

















2















Not sure what I've got wrong here. I don't see port 4506 open in this configuration, but I'm able to telnet to it from a remote machine on the 156.9.122 subnet. What am I doing wrong?



# firewall-cmd --list-all-zones




firewall-cmd --list-all-zones
block
 target: %%REJECT%%
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: 
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


dmz
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: ssh
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


drop
 target: DROP
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: 
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


external
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: ssh
 ports: 
 protocols: 
 masquerade: yes
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


home
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: ssh mdns samba-client dhcpv6-client
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


internal
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: ssh mdns samba-client dhcpv6-client
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


public (active)
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 156.9.122.0/24
 services: http https ntp dhcpv6-client kerberos ldaps ssh dns ldap
 ports: 443/tcp 7902/tcp 8014/tcp 7903/tcp 8089/tcp 463/tcp 7899/tcp 7898/tcp 7900/tcp 52311/udp 80/tcp 7901/tcp 1584/tcp 1585/tcp 463/udp 22/tcp
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


trusted
 target: ACCEPT
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: 
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


work
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: ssh dhcpv6-client
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules:


# iptables -nvL




Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination 
28874 7345K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
 205 36869 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 
 117 12145 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 
 112 11773 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
 21 4809 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination 
 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 
 0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 29114 packets, 7722K bytes)
 pkts bytes target prot opt in out source destination 
29114 7722K OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 

Chain FORWARD_IN_ZONES (1 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDI_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto] 

Chain FORWARD_IN_ZONES_SOURCE (1 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDI_public all -- * * 156.9.122.0/24 0.0.0.0/0 [goto] 

Chain FORWARD_OUT_ZONES (1 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDO_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto] 

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDO_public all -- * * 0.0.0.0/0 156.9.122.0/24 [goto] 

Chain FORWARD_direct (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDI_public (2 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDI_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FWDI_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FWDI_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 

Chain FWDI_public_allow (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDI_public_deny (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDI_public_log (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDO_public (2 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDO_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FWDO_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FWDO_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 

Chain FWDO_public_allow (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDO_public_deny (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDO_public_log (1 references)
 pkts bytes target prot opt in out source destination 

Chain INPUT_ZONES (1 references)
 pkts bytes target prot opt in out source destination 
 112 11773 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto] 

Chain INPUT_ZONES_SOURCE (1 references)
 pkts bytes target prot opt in out source destination 
 5 372 IN_public all -- * * 156.9.122.0/24 0.0.0.0/0 [goto] 

Chain INPUT_direct (1 references)
 pkts bytes target prot opt in out source destination 

Chain IN_public (2 references)
 pkts bytes target prot opt in out source destination 
 117 12145 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 
 3 252 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 

Chain IN_public_allow (1 references)
 pkts bytes target prot opt in out source destination 
 93 7084 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 25/min burst 100
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW
 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:88 ctstate NEW
 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:88 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:636 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 ctstate NEW
 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:389 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7902 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8014 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7903 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8089 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:463 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7899 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7898 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7900 ctstate NEW
 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:52311 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7901 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1584 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1585 ctstate NEW
 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:463 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW

Chain IN_public_deny (1 references)
 pkts bytes target prot opt in out source destination 

Chain IN_public_log (1 references)
 pkts bytes target prot opt in out source destination 

Chain OUTPUT_direct (1 references)
 pkts bytes target prot opt in out source destination





linux centos7 firewalld







share|improve this question



















  • 1





    Did someone manually alter the firewall? Check with iptables -nvL

    – Michael Hampton
    Apr 5 at 18:15











  • @Michael Hampton - Added the output to my question, but I'm not sure what to look for. I did not install this OS, so it's possible it was changed manually.

    – Adam vonNieda
    Apr 5 at 18:18






  • 1





    I see nothing here that would allow incoming traffic to port 4506. Exactly how are you testing this?

    – Michael Hampton
    Apr 5 at 18:21











  • A simple "telnet <hostname> 4506" from a Windows machine

    – Adam vonNieda
    Apr 5 at 18:21











  • I've also done a tcpdump on the server to validate that I am in fact hitting that port on that server. I did see traffic over port 4506.

    – Adam vonNieda
    Apr 5 at 18:50













2












2








2








Not sure what I've got wrong here. I don't see port 4506 open in this configuration, but I'm able to telnet to it from a remote machine on the 156.9.122 subnet. What am I doing wrong?



# firewall-cmd --list-all-zones




firewall-cmd --list-all-zones
block
 target: %%REJECT%%
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: 
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


dmz
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: ssh
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


drop
 target: DROP
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: 
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


external
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: ssh
 ports: 
 protocols: 
 masquerade: yes
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


home
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: ssh mdns samba-client dhcpv6-client
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


internal
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: ssh mdns samba-client dhcpv6-client
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


public (active)
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 156.9.122.0/24
 services: http https ntp dhcpv6-client kerberos ldaps ssh dns ldap
 ports: 443/tcp 7902/tcp 8014/tcp 7903/tcp 8089/tcp 463/tcp 7899/tcp 7898/tcp 7900/tcp 52311/udp 80/tcp 7901/tcp 1584/tcp 1585/tcp 463/udp 22/tcp
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


trusted
 target: ACCEPT
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: 
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


work
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: ssh dhcpv6-client
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules:


# iptables -nvL




Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination 
28874 7345K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
 205 36869 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 
 117 12145 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 
 112 11773 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
 21 4809 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination 
 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 
 0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 29114 packets, 7722K bytes)
 pkts bytes target prot opt in out source destination 
29114 7722K OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 

Chain FORWARD_IN_ZONES (1 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDI_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto] 

Chain FORWARD_IN_ZONES_SOURCE (1 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDI_public all -- * * 156.9.122.0/24 0.0.0.0/0 [goto] 

Chain FORWARD_OUT_ZONES (1 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDO_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto] 

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDO_public all -- * * 0.0.0.0/0 156.9.122.0/24 [goto] 

Chain FORWARD_direct (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDI_public (2 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDI_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FWDI_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FWDI_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 

Chain FWDI_public_allow (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDI_public_deny (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDI_public_log (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDO_public (2 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDO_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FWDO_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FWDO_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 

Chain FWDO_public_allow (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDO_public_deny (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDO_public_log (1 references)
 pkts bytes target prot opt in out source destination 

Chain INPUT_ZONES (1 references)
 pkts bytes target prot opt in out source destination 
 112 11773 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto] 

Chain INPUT_ZONES_SOURCE (1 references)
 pkts bytes target prot opt in out source destination 
 5 372 IN_public all -- * * 156.9.122.0/24 0.0.0.0/0 [goto] 

Chain INPUT_direct (1 references)
 pkts bytes target prot opt in out source destination 

Chain IN_public (2 references)
 pkts bytes target prot opt in out source destination 
 117 12145 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 
 3 252 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 

Chain IN_public_allow (1 references)
 pkts bytes target prot opt in out source destination 
 93 7084 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 25/min burst 100
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW
 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:88 ctstate NEW
 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:88 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:636 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 ctstate NEW
 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:389 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7902 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8014 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7903 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8089 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:463 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7899 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7898 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7900 ctstate NEW
 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:52311 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7901 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1584 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1585 ctstate NEW
 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:463 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW

Chain IN_public_deny (1 references)
 pkts bytes target prot opt in out source destination 

Chain IN_public_log (1 references)
 pkts bytes target prot opt in out source destination 

Chain OUTPUT_direct (1 references)
 pkts bytes target prot opt in out source destination





linux centos7 firewalld







share|improve this question
















Not sure what I've got wrong here. I don't see port 4506 open in this configuration, but I'm able to telnet to it from a remote machine on the 156.9.122 subnet. What am I doing wrong?



# firewall-cmd --list-all-zones




firewall-cmd --list-all-zones
block
 target: %%REJECT%%
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: 
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


dmz
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: ssh
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


drop
 target: DROP
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: 
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


external
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: ssh
 ports: 
 protocols: 
 masquerade: yes
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


home
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: ssh mdns samba-client dhcpv6-client
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


internal
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: ssh mdns samba-client dhcpv6-client
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


public (active)
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 156.9.122.0/24
 services: http https ntp dhcpv6-client kerberos ldaps ssh dns ldap
 ports: 443/tcp 7902/tcp 8014/tcp 7903/tcp 8089/tcp 463/tcp 7899/tcp 7898/tcp 7900/tcp 52311/udp 80/tcp 7901/tcp 1584/tcp 1585/tcp 463/udp 22/tcp
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


trusted
 target: ACCEPT
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: 
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


work
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: ssh dhcpv6-client
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules:


# iptables -nvL




Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination 
28874 7345K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
 205 36869 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 
 117 12145 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 
 112 11773 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
 21 4809 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination 
 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 
 0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 29114 packets, 7722K bytes)
 pkts bytes target prot opt in out source destination 
29114 7722K OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 

Chain FORWARD_IN_ZONES (1 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDI_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto] 

Chain FORWARD_IN_ZONES_SOURCE (1 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDI_public all -- * * 156.9.122.0/24 0.0.0.0/0 [goto] 

Chain FORWARD_OUT_ZONES (1 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDO_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto] 

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDO_public all -- * * 0.0.0.0/0 156.9.122.0/24 [goto] 

Chain FORWARD_direct (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDI_public (2 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDI_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FWDI_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FWDI_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 

Chain FWDI_public_allow (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDI_public_deny (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDI_public_log (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDO_public (2 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDO_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FWDO_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FWDO_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 

Chain FWDO_public_allow (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDO_public_deny (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDO_public_log (1 references)
 pkts bytes target prot opt in out source destination 

Chain INPUT_ZONES (1 references)
 pkts bytes target prot opt in out source destination 
 112 11773 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto] 

Chain INPUT_ZONES_SOURCE (1 references)
 pkts bytes target prot opt in out source destination 
 5 372 IN_public all -- * * 156.9.122.0/24 0.0.0.0/0 [goto] 

Chain INPUT_direct (1 references)
 pkts bytes target prot opt in out source destination 

Chain IN_public (2 references)
 pkts bytes target prot opt in out source destination 
 117 12145 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 
 3 252 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 

Chain IN_public_allow (1 references)
 pkts bytes target prot opt in out source destination 
 93 7084 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 25/min burst 100
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW
 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:88 ctstate NEW
 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:88 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:636 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 ctstate NEW
 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:389 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7902 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8014 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7903 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8089 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:463 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7899 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7898 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7900 ctstate NEW
 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:52311 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7901 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1584 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1585 ctstate NEW
 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:463 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW

Chain IN_public_deny (1 references)
 pkts bytes target prot opt in out source destination 

Chain IN_public_log (1 references)
 pkts bytes target prot opt in out source destination 

Chain OUTPUT_direct (1 references)
 pkts bytes target prot opt in out source destination





linux centos7 firewalld




linux centos7 firewalld






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Apr 5 at 18:17







Adam vonNieda

















asked Apr 5 at 18:03









Adam vonNiedaAdam vonNieda

1136




1136







  • 1





    Did someone manually alter the firewall? Check with iptables -nvL

    – Michael Hampton
    Apr 5 at 18:15











  • @Michael Hampton - Added the output to my question, but I'm not sure what to look for. I did not install this OS, so it's possible it was changed manually.

    – Adam vonNieda
    Apr 5 at 18:18






  • 1





    I see nothing here that would allow incoming traffic to port 4506. Exactly how are you testing this?

    – Michael Hampton
    Apr 5 at 18:21











  • A simple "telnet <hostname> 4506" from a Windows machine

    – Adam vonNieda
    Apr 5 at 18:21











  • I've also done a tcpdump on the server to validate that I am in fact hitting that port on that server. I did see traffic over port 4506.

    – Adam vonNieda
    Apr 5 at 18:50












  • 1





    Did someone manually alter the firewall? Check with iptables -nvL

    – Michael Hampton
    Apr 5 at 18:15











  • @Michael Hampton - Added the output to my question, but I'm not sure what to look for. I did not install this OS, so it's possible it was changed manually.

    – Adam vonNieda
    Apr 5 at 18:18






  • 1





    I see nothing here that would allow incoming traffic to port 4506. Exactly how are you testing this?

    – Michael Hampton
    Apr 5 at 18:21











  • A simple "telnet <hostname> 4506" from a Windows machine

    – Adam vonNieda
    Apr 5 at 18:21











  • I've also done a tcpdump on the server to validate that I am in fact hitting that port on that server. I did see traffic over port 4506.

    – Adam vonNieda
    Apr 5 at 18:50







1




1





Did someone manually alter the firewall? Check with iptables -nvL

– Michael Hampton
Apr 5 at 18:15





Did someone manually alter the firewall? Check with iptables -nvL

– Michael Hampton
Apr 5 at 18:15













@Michael Hampton - Added the output to my question, but I'm not sure what to look for. I did not install this OS, so it's possible it was changed manually.

– Adam vonNieda
Apr 5 at 18:18





@Michael Hampton - Added the output to my question, but I'm not sure what to look for. I did not install this OS, so it's possible it was changed manually.

– Adam vonNieda
Apr 5 at 18:18




1




1





I see nothing here that would allow incoming traffic to port 4506. Exactly how are you testing this?

– Michael Hampton
Apr 5 at 18:21





I see nothing here that would allow incoming traffic to port 4506. Exactly how are you testing this?

– Michael Hampton
Apr 5 at 18:21













A simple "telnet <hostname> 4506" from a Windows machine

– Adam vonNieda
Apr 5 at 18:21





A simple "telnet <hostname> 4506" from a Windows machine

– Adam vonNieda
Apr 5 at 18:21













I've also done a tcpdump on the server to validate that I am in fact hitting that port on that server. I did see traffic over port 4506.

– Adam vonNieda
Apr 5 at 18:50





I've also done a tcpdump on the server to validate that I am in fact hitting that port on that server. I did see traffic over port 4506.

– Adam vonNieda
Apr 5 at 18:50










1 Answer
1






active

oldest

votes


















2














This seems to be the rule that allows such traffic:



Chain IN_public_allow (1 references)
 pkts bytes target prot opt in out source destination 
 93 7084 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 25/min burst 100


Starting from the INPUT chain:



Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination 
28874 7345K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
 205 36869 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 
 117 12145 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 
 112 11773 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0


Note INPUT_ZONES_SOURCE and INPUT_ZONES_SOURCE. INPUT_direct is empty so nothing before denied/rejected anything.



Chain INPUT_ZONES_SOURCE (1 references)
 pkts bytes target prot opt in out source destination 
 5 372 IN_public all -- * * 156.9.122.0/24 0.0.0.0/0

Chain INPUT_ZONES (1 references)
 pkts bytes target prot opt in out source destination 
 112 11773 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]


Both chains call IN_public. In this case the source is in 156.9.1220/24 so INPUT_ZONES_SOURCE is used. Had it not INPUT_ZONES would have been called with identical results. Basically INPUT_ZONES_SOURCE is doing nothing in this config but the presence of a [goto] in one could make a difference if the rules change.



Chain IN_public (2 references)
 pkts bytes target prot opt in out source destination 
 117 12145 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0


IN_public_log and IN_public_deny are empty so they do nothing. Thus IN_public_allow is reached:



Chain IN_public_allow (1 references)
 pkts bytes target prot opt in out source destination 
 93 7084 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 25/min burst 100


All IPs and all tcp ports are accepted with some rate limits. Due to INPUT_ZONES this is true for all sources, not just 156.9.122.0/24 so things seem worse than you may have thought.



Disclaimer: programmatically generated iptables rules make my eyes bleed so I could very well be wrong.






share|improve this answer























  • Thanks for the info, so do you know what I would need to do to fix it? Could it be fixed via firewall-cmd? I'm no iptables expert and agree this is spaghetti that I guess is generated via firewalld.

    – Adam vonNieda
    Apr 5 at 20:57






  • 1





    I don't know. I have never used firewalld.

    – Mark Wagner
    Apr 5 at 22:27











  • OK well in that case I think I'll probably disable firewalld and see if I can fix it with straight iptables from scratch. Appreciate the assist.

    – Adam vonNieda
    Apr 6 at 0:34






  • 1





    That doesn't look like it came from firewalld at all. Perhaps someone manually inserted it?

    – Michael Hampton
    Apr 6 at 0:52











  • @Michael - Possibly. This OS was not installed by me, and I kind of feel like my best path is to back everything out and start over. I'm comfortable with both firewalld and iptables, but I'm not an expert with either. So I'm gonna clear the iptables rules, and copy the firewalld zones from a "clean" OS and start fresh. I can handle it from there. Thanks Michael and Mark.

    – Adam vonNieda
    Apr 6 at 3:13











Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f961738%2flinux-firewalld-i-can-hit-port-4506-but-my-configuration-shouldnt-let-me%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









2














This seems to be the rule that allows such traffic:



Chain IN_public_allow (1 references)
 pkts bytes target prot opt in out source destination 
 93 7084 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 25/min burst 100


Starting from the INPUT chain:



Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination 
28874 7345K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
 205 36869 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 
 117 12145 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 
 112 11773 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0


Note INPUT_ZONES_SOURCE and INPUT_ZONES_SOURCE. INPUT_direct is empty so nothing before denied/rejected anything.



Chain INPUT_ZONES_SOURCE (1 references)
 pkts bytes target prot opt in out source destination 
 5 372 IN_public all -- * * 156.9.122.0/24 0.0.0.0/0

Chain INPUT_ZONES (1 references)
 pkts bytes target prot opt in out source destination 
 112 11773 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]


Both chains call IN_public. In this case the source is in 156.9.1220/24 so INPUT_ZONES_SOURCE is used. Had it not INPUT_ZONES would have been called with identical results. Basically INPUT_ZONES_SOURCE is doing nothing in this config but the presence of a [goto] in one could make a difference if the rules change.



Chain IN_public (2 references)
 pkts bytes target prot opt in out source destination 
 117 12145 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0


IN_public_log and IN_public_deny are empty so they do nothing. Thus IN_public_allow is reached:



Chain IN_public_allow (1 references)
 pkts bytes target prot opt in out source destination 
 93 7084 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 25/min burst 100


All IPs and all tcp ports are accepted with some rate limits. Due to INPUT_ZONES this is true for all sources, not just 156.9.122.0/24 so things seem worse than you may have thought.



Disclaimer: programmatically generated iptables rules make my eyes bleed so I could very well be wrong.






share|improve this answer























  • Thanks for the info, so do you know what I would need to do to fix it? Could it be fixed via firewall-cmd? I'm no iptables expert and agree this is spaghetti that I guess is generated via firewalld.

    – Adam vonNieda
    Apr 5 at 20:57






  • 1





    I don't know. I have never used firewalld.

    – Mark Wagner
    Apr 5 at 22:27











  • OK well in that case I think I'll probably disable firewalld and see if I can fix it with straight iptables from scratch. Appreciate the assist.

    – Adam vonNieda
    Apr 6 at 0:34






  • 1





    That doesn't look like it came from firewalld at all. Perhaps someone manually inserted it?

    – Michael Hampton
    Apr 6 at 0:52











  • @Michael - Possibly. This OS was not installed by me, and I kind of feel like my best path is to back everything out and start over. I'm comfortable with both firewalld and iptables, but I'm not an expert with either. So I'm gonna clear the iptables rules, and copy the firewalld zones from a "clean" OS and start fresh. I can handle it from there. Thanks Michael and Mark.

    – Adam vonNieda
    Apr 6 at 3:13















2














This seems to be the rule that allows such traffic:



Chain IN_public_allow (1 references)
 pkts bytes target prot opt in out source destination 
 93 7084 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 25/min burst 100


Starting from the INPUT chain:



Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination 
28874 7345K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
 205 36869 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 
 117 12145 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 
 112 11773 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0


Note INPUT_ZONES_SOURCE and INPUT_ZONES_SOURCE. INPUT_direct is empty so nothing before denied/rejected anything.



Chain INPUT_ZONES_SOURCE (1 references)
 pkts bytes target prot opt in out source destination 
 5 372 IN_public all -- * * 156.9.122.0/24 0.0.0.0/0

Chain INPUT_ZONES (1 references)
 pkts bytes target prot opt in out source destination 
 112 11773 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]


Both chains call IN_public. In this case the source is in 156.9.1220/24 so INPUT_ZONES_SOURCE is used. Had it not INPUT_ZONES would have been called with identical results. Basically INPUT_ZONES_SOURCE is doing nothing in this config but the presence of a [goto] in one could make a difference if the rules change.



Chain IN_public (2 references)
 pkts bytes target prot opt in out source destination 
 117 12145 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0


IN_public_log and IN_public_deny are empty so they do nothing. Thus IN_public_allow is reached:



Chain IN_public_allow (1 references)
 pkts bytes target prot opt in out source destination 
 93 7084 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 25/min burst 100


All IPs and all tcp ports are accepted with some rate limits. Due to INPUT_ZONES this is true for all sources, not just 156.9.122.0/24 so things seem worse than you may have thought.



Disclaimer: programmatically generated iptables rules make my eyes bleed so I could very well be wrong.






share|improve this answer























  • Thanks for the info, so do you know what I would need to do to fix it? Could it be fixed via firewall-cmd? I'm no iptables expert and agree this is spaghetti that I guess is generated via firewalld.

    – Adam vonNieda
    Apr 5 at 20:57






  • 1





    I don't know. I have never used firewalld.

    – Mark Wagner
    Apr 5 at 22:27











  • OK well in that case I think I'll probably disable firewalld and see if I can fix it with straight iptables from scratch. Appreciate the assist.

    – Adam vonNieda
    Apr 6 at 0:34






  • 1





    That doesn't look like it came from firewalld at all. Perhaps someone manually inserted it?

    – Michael Hampton
    Apr 6 at 0:52











  • @Michael - Possibly. This OS was not installed by me, and I kind of feel like my best path is to back everything out and start over. I'm comfortable with both firewalld and iptables, but I'm not an expert with either. So I'm gonna clear the iptables rules, and copy the firewalld zones from a "clean" OS and start fresh. I can handle it from there. Thanks Michael and Mark.

    – Adam vonNieda
    Apr 6 at 3:13













2












2








2







This seems to be the rule that allows such traffic:



Chain IN_public_allow (1 references)
 pkts bytes target prot opt in out source destination 
 93 7084 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 25/min burst 100


Starting from the INPUT chain:



Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination 
28874 7345K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
 205 36869 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 
 117 12145 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 
 112 11773 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0


Note INPUT_ZONES_SOURCE and INPUT_ZONES_SOURCE. INPUT_direct is empty so nothing before denied/rejected anything.



Chain INPUT_ZONES_SOURCE (1 references)
 pkts bytes target prot opt in out source destination 
 5 372 IN_public all -- * * 156.9.122.0/24 0.0.0.0/0

Chain INPUT_ZONES (1 references)
 pkts bytes target prot opt in out source destination 
 112 11773 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]


Both chains call IN_public. In this case the source is in 156.9.1220/24 so INPUT_ZONES_SOURCE is used. Had it not INPUT_ZONES would have been called with identical results. Basically INPUT_ZONES_SOURCE is doing nothing in this config but the presence of a [goto] in one could make a difference if the rules change.



Chain IN_public (2 references)
 pkts bytes target prot opt in out source destination 
 117 12145 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0


IN_public_log and IN_public_deny are empty so they do nothing. Thus IN_public_allow is reached:



Chain IN_public_allow (1 references)
 pkts bytes target prot opt in out source destination 
 93 7084 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 25/min burst 100


All IPs and all tcp ports are accepted with some rate limits. Due to INPUT_ZONES this is true for all sources, not just 156.9.122.0/24 so things seem worse than you may have thought.



Disclaimer: programmatically generated iptables rules make my eyes bleed so I could very well be wrong.






share|improve this answer













This seems to be the rule that allows such traffic:



Chain IN_public_allow (1 references)
 pkts bytes target prot opt in out source destination 
 93 7084 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 25/min burst 100


Starting from the INPUT chain:



Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination 
28874 7345K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
 205 36869 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 
 117 12145 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 
 112 11773 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0


Note INPUT_ZONES_SOURCE and INPUT_ZONES_SOURCE. INPUT_direct is empty so nothing before denied/rejected anything.



Chain INPUT_ZONES_SOURCE (1 references)
 pkts bytes target prot opt in out source destination 
 5 372 IN_public all -- * * 156.9.122.0/24 0.0.0.0/0

Chain INPUT_ZONES (1 references)
 pkts bytes target prot opt in out source destination 
 112 11773 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]


Both chains call IN_public. In this case the source is in 156.9.1220/24 so INPUT_ZONES_SOURCE is used. Had it not INPUT_ZONES would have been called with identical results. Basically INPUT_ZONES_SOURCE is doing nothing in this config but the presence of a [goto] in one could make a difference if the rules change.



Chain IN_public (2 references)
 pkts bytes target prot opt in out source destination 
 117 12145 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0


IN_public_log and IN_public_deny are empty so they do nothing. Thus IN_public_allow is reached:



Chain IN_public_allow (1 references)
 pkts bytes target prot opt in out source destination 
 93 7084 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 25/min burst 100


All IPs and all tcp ports are accepted with some rate limits. Due to INPUT_ZONES this is true for all sources, not just 156.9.122.0/24 so things seem worse than you may have thought.



Disclaimer: programmatically generated iptables rules make my eyes bleed so I could very well be wrong.







share|improve this answer












share|improve this answer



share|improve this answer










answered Apr 5 at 20:52









Mark WagnerMark Wagner

15.2k22246




15.2k22246












  • Thanks for the info, so do you know what I would need to do to fix it? Could it be fixed via firewall-cmd? I'm no iptables expert and agree this is spaghetti that I guess is generated via firewalld.

    – Adam vonNieda
    Apr 5 at 20:57






  • 1





    I don't know. I have never used firewalld.

    – Mark Wagner
    Apr 5 at 22:27











  • OK well in that case I think I'll probably disable firewalld and see if I can fix it with straight iptables from scratch. Appreciate the assist.

    – Adam vonNieda
    Apr 6 at 0:34






  • 1





    That doesn't look like it came from firewalld at all. Perhaps someone manually inserted it?

    – Michael Hampton
    Apr 6 at 0:52











  • @Michael - Possibly. This OS was not installed by me, and I kind of feel like my best path is to back everything out and start over. I'm comfortable with both firewalld and iptables, but I'm not an expert with either. So I'm gonna clear the iptables rules, and copy the firewalld zones from a "clean" OS and start fresh. I can handle it from there. Thanks Michael and Mark.

    – Adam vonNieda
    Apr 6 at 3:13

















  • Thanks for the info, so do you know what I would need to do to fix it? Could it be fixed via firewall-cmd? I'm no iptables expert and agree this is spaghetti that I guess is generated via firewalld.

    – Adam vonNieda
    Apr 5 at 20:57






  • 1





    I don't know. I have never used firewalld.

    – Mark Wagner
    Apr 5 at 22:27











  • OK well in that case I think I'll probably disable firewalld and see if I can fix it with straight iptables from scratch. Appreciate the assist.

    – Adam vonNieda
    Apr 6 at 0:34






  • 1





    That doesn't look like it came from firewalld at all. Perhaps someone manually inserted it?

    – Michael Hampton
    Apr 6 at 0:52











  • @Michael - Possibly. This OS was not installed by me, and I kind of feel like my best path is to back everything out and start over. I'm comfortable with both firewalld and iptables, but I'm not an expert with either. So I'm gonna clear the iptables rules, and copy the firewalld zones from a "clean" OS and start fresh. I can handle it from there. Thanks Michael and Mark.

    – Adam vonNieda
    Apr 6 at 3:13
















Thanks for the info, so do you know what I would need to do to fix it? Could it be fixed via firewall-cmd? I'm no iptables expert and agree this is spaghetti that I guess is generated via firewalld.

– Adam vonNieda
Apr 5 at 20:57





Thanks for the info, so do you know what I would need to do to fix it? Could it be fixed via firewall-cmd? I'm no iptables expert and agree this is spaghetti that I guess is generated via firewalld.

– Adam vonNieda
Apr 5 at 20:57




1




1





I don't know. I have never used firewalld.

– Mark Wagner
Apr 5 at 22:27





I don't know. I have never used firewalld.

– Mark Wagner
Apr 5 at 22:27













OK well in that case I think I'll probably disable firewalld and see if I can fix it with straight iptables from scratch. Appreciate the assist.

– Adam vonNieda
Apr 6 at 0:34





OK well in that case I think I'll probably disable firewalld and see if I can fix it with straight iptables from scratch. Appreciate the assist.

– Adam vonNieda
Apr 6 at 0:34




1




1





That doesn't look like it came from firewalld at all. Perhaps someone manually inserted it?

– Michael Hampton
Apr 6 at 0:52





That doesn't look like it came from firewalld at all. Perhaps someone manually inserted it?

– Michael Hampton
Apr 6 at 0:52













@Michael - Possibly. This OS was not installed by me, and I kind of feel like my best path is to back everything out and start over. I'm comfortable with both firewalld and iptables, but I'm not an expert with either. So I'm gonna clear the iptables rules, and copy the firewalld zones from a "clean" OS and start fresh. I can handle it from there. Thanks Michael and Mark.

– Adam vonNieda
Apr 6 at 3:13





@Michael - Possibly. This OS was not installed by me, and I kind of feel like my best path is to back everything out and start over. I'm comfortable with both firewalld and iptables, but I'm not an expert with either. So I'm gonna clear the iptables rules, and copy the firewalld zones from a "clean" OS and start fresh. I can handle it from there. Thanks Michael and Mark.

– Adam vonNieda
Apr 6 at 3:13

















draft saved

draft discarded
















































Thanks for contributing an answer to Server Fault!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f961738%2flinux-firewalld-i-can-hit-port-4506-but-my-configuration-shouldnt-let-me%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Wikipedia:Vital articles Мазмуну Biography - Өмүр баян Philosophy and psychology - Философия жана психология Religion - Дин Social sciences - Коомдук илимдер Language and literature - Тил жана адабият Science - Илим Technology - Технология Arts and recreation - Искусство жана эс алуу History and geography - Тарых жана география Навигация менюсу

Image
centralized watchlist Wikipedia:Vital articles Wikipedia дан Jump to navigation Jump to search This is a list of basic subjects for which Wikipedia should have a corresponding high-quality article, and ideally a featured article. It also serves as a centralized watchlist and tracks the status of some of Wikipedia's most essential articles. Ideally this page should list approximately 1,000 of the most vital Wikipedia articles. Мазмуну 1 Biography - Өмүр баян 1.1 Actors, dancers and models - Актёрлор, бийчилер жана моделдер 1.2 Artists and architects - Сүрөтчүлөр жана архитекторлор 1.3 Authors, playwrights and poets - Жазуучулар, драматургдар жана акындар 1.4 Composers and musicians - Композиторлор жана музыканттар 1.5 Explorers and travelers - Изилдөөчүлөр менен саякатчылар 1.6 Film directors and screenwriters - Режиссёрлор жана сценаристтер 1.7 Inventors, scientists and mathematicians - Ойлоп табуучулар, окумуштуулар жана математиктер
Read more

Bruxelas-Capital Índice Historia | Composición | Situación lingüística | Clima | Cidades irmandadas | Notas | Véxase tamén | Menú de navegacióneO uso das linguas en Bruxelas e a situación do neerlandés"Rexión de Bruxelas Capital"o orixinalSitio da rexiónPáxina de Bruselas no sitio da Oficina de Promoción Turística de Valonia e BruxelasMapa Interactivo da Rexión de Bruxelas-CapitaleeWorldCat332144929079854441105155190212ID28008674080552-90000 0001 0666 3698n94104302ID540940339365017018237

Image
AnderlechtCidade de BruxelasIxellesEtterbeekEvereGanshorenJetteKoekelbergAuderghemSchaerbeekBerchem-Sainte-AgatheSaint-GillesMolenbeek-Saint-JeanSaint-Josse-ten-NoodeWoluwe-Saint-LambertWoluwe-Saint-PierreUccleForestWatermaal-Bosvoorde Comunidade Francesa de Bélxica Comunidade Flamenga de Bélxica Comunidade Xermanófona de Bélxica Bruxelas-CapitalRexións de Bélxica francésneerlandésRexiónsBélxicacomunidade francesacomunidade flamengafrancófonaflamengaUnión EuropeaMagrebMarrocosTurquíaAméricaÁfricaRepública Democrática do CongoEuropa central18 de xuño1989FlandresRexión Valoaflamengaséculo XIXClasificación climática de Köppen Bruxelas-Capital Na Galipedia, a Wikipedia en galego. Saltar ata a navegación Saltar á procura Para outras páxinas con títulos homónimos véxase: Bruxelas . Région de Bruxelles-Capitale Brussels Hoofdstedelijk Gewest Bandeira Estado Bélxica Capital Cidade de Bruxelas  • Poboación n/d Lingua oficial As dúas Superficie  • Total 1
Read more

What should I write in an apology letter, since I have decided not to join a company after accepting an offer letterShould I keep looking after accepting a job offer?What should I do when I've been verbally told I would get an offer letter, but still haven't gotten one after 4 weeks?Do I accept an offer from a company that I am not likely to join?New job hasn't confirmed starting date and I want to give current employer as much notice as possibleHow should I address my manager in my resignation letter?HR delayed background verification, now jobless as resignedNo email communication after accepting a formal written offer. How should I phrase the call?What should I do if after receiving a verbal offer letter I am informed that my written job offer is put on hold due to some internal issues?Should I inform the current employer that I am about to resign within 1-2 weeks since I have signed the offer letter and waiting for visa?What company will do, if I send their offer letter to another company

Image
When is the original BFGS algorithm still better than the Limited-Memory version? How well known and how commonly used was Huffman coding in 1979? Inverse-quotes-quine Can the US president have someone sent to jail? Employer wants to use my work email account after I quit, is this legal under German law? Is this a GDPR waiver? Do French speakers not use the subjunctive informally? Low-gravity Bronze Age fortifications Does ultrasonic bath cleaning damage laboratory volumetric glassware calibration? Why do some games show lights shine through walls? Unusual mail headers, evidence of an attempted attack. Have I been pwned? Smooth Julia set for quadratic polynomials Require advice on power conservation for backpacking trip Dimensions of list used in test C-152 carb heat on before landing in hot weather? Is my Rep in Stack-Exchange Form? What happens when your group is victim of a surprise attack but you can't be surprised? How come I was asked by a CBP
Read more