Linux firewalld - I can hit port 4506, but my configuration shouldn't let me The 2019 Stack Overflow Developer Survey Results Are Iniptables port forward forwardingif I put accept all 0.0.0.0/0 means this server is totally open for any ip?Unable to make outbound SNMP connections when IPTables is enabledNAT KVM Guest and Route All Guest Traffic to Host VPNC ConnectionForward http traffic to another ip address with iptablesTrying to make iptables stateless is causing unforeseen filteringHow to establish firewall rules that accepting 11211 port in intranet for memcached ( Fedora)?FTP port closed for vsftpd servicefail2ban running on CentOS 7 & getting “ssh connection refused”openvpn: can't manage to control client-to-client connections with iptables

Geography at the pixel level

Why Did Howard Stark Use All The Vibranium They Had On A Prototype Shield?

What does "sndry explns" mean in one of the Hitchhiker's guide books?

Springs with some finite mass

Manuscript was "unsubmitted" because the manuscript was deposited in Arxiv Preprints

How can I create a character who can assume the widest possible range of creature sizes?

Confusion about non-derivable continuous functions

"What time...?" or "At what time...?" - what is more grammatically correct?

Can we apply L'Hospital's rule where the derivative is not continuous?

Landlord wants to switch my lease to a "Land contract" to "get back at the city"

What does "rabbited" mean/imply in this sentence?

How to manage monthly salary

Is "plugging out" electronic devices an American expression?

Why could you hear an Amstrad CPC working?

Where does the "burst of radiance" from Holy Weapon originate?

Why isn't airport relocation done gradually?

Should I use my personal or workplace e-mail when registering to external websites for work purpose?

What is this 4-propeller plane?

What is a mixture ratio of propellant?

is usb on wall sockets live all the time with out switches off

aging parents with no investments

Spanish for "widget"

What is the meaning of Triage in Cybersec world?

Can't find the latex code for the ⍎ (down tack jot) symbol



Linux firewalld - I can hit port 4506, but my configuration shouldn't let me



The 2019 Stack Overflow Developer Survey Results Are Iniptables port forward forwardingif I put accept all 0.0.0.0/0 means this server is totally open for any ip?Unable to make outbound SNMP connections when IPTables is enabledNAT KVM Guest and Route All Guest Traffic to Host VPNC ConnectionForward http traffic to another ip address with iptablesTrying to make iptables stateless is causing unforeseen filteringHow to establish firewall rules that accepting 11211 port in intranet for memcached ( Fedora)?FTP port closed for vsftpd servicefail2ban running on CentOS 7 & getting “ssh connection refused”openvpn: can't manage to control client-to-client connections with iptables



.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;








2















Not sure what I've got wrong here. I don't see port 4506 open in this configuration, but I'm able to telnet to it from a remote machine on the 156.9.122 subnet. What am I doing wrong?



# firewall-cmd --list-all-zones




firewall-cmd --list-all-zones
block
 target: %%REJECT%%
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: 
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


dmz
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: ssh
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


drop
 target: DROP
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: 
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


external
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: ssh
 ports: 
 protocols: 
 masquerade: yes
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


home
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: ssh mdns samba-client dhcpv6-client
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


internal
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: ssh mdns samba-client dhcpv6-client
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


public (active)
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 156.9.122.0/24
 services: http https ntp dhcpv6-client kerberos ldaps ssh dns ldap
 ports: 443/tcp 7902/tcp 8014/tcp 7903/tcp 8089/tcp 463/tcp 7899/tcp 7898/tcp 7900/tcp 52311/udp 80/tcp 7901/tcp 1584/tcp 1585/tcp 463/udp 22/tcp
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


trusted
 target: ACCEPT
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: 
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


work
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: ssh dhcpv6-client
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules:


# iptables -nvL




Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination 
28874 7345K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
 205 36869 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 
 117 12145 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 
 112 11773 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
 21 4809 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination 
 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 
 0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 29114 packets, 7722K bytes)
 pkts bytes target prot opt in out source destination 
29114 7722K OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 

Chain FORWARD_IN_ZONES (1 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDI_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto] 

Chain FORWARD_IN_ZONES_SOURCE (1 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDI_public all -- * * 156.9.122.0/24 0.0.0.0/0 [goto] 

Chain FORWARD_OUT_ZONES (1 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDO_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto] 

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDO_public all -- * * 0.0.0.0/0 156.9.122.0/24 [goto] 

Chain FORWARD_direct (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDI_public (2 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDI_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FWDI_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FWDI_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 

Chain FWDI_public_allow (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDI_public_deny (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDI_public_log (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDO_public (2 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDO_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FWDO_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FWDO_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 

Chain FWDO_public_allow (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDO_public_deny (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDO_public_log (1 references)
 pkts bytes target prot opt in out source destination 

Chain INPUT_ZONES (1 references)
 pkts bytes target prot opt in out source destination 
 112 11773 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto] 

Chain INPUT_ZONES_SOURCE (1 references)
 pkts bytes target prot opt in out source destination 
 5 372 IN_public all -- * * 156.9.122.0/24 0.0.0.0/0 [goto] 

Chain INPUT_direct (1 references)
 pkts bytes target prot opt in out source destination 

Chain IN_public (2 references)
 pkts bytes target prot opt in out source destination 
 117 12145 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 
 3 252 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 

Chain IN_public_allow (1 references)
 pkts bytes target prot opt in out source destination 
 93 7084 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 25/min burst 100
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW
 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:88 ctstate NEW
 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:88 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:636 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 ctstate NEW
 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:389 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7902 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8014 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7903 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8089 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:463 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7899 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7898 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7900 ctstate NEW
 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:52311 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7901 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1584 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1585 ctstate NEW
 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:463 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW

Chain IN_public_deny (1 references)
 pkts bytes target prot opt in out source destination 

Chain IN_public_log (1 references)
 pkts bytes target prot opt in out source destination 

Chain OUTPUT_direct (1 references)
 pkts bytes target prot opt in out source destination





linux centos7 firewalld







share|improve this question



















  • 1





    Did someone manually alter the firewall? Check with iptables -nvL

    – Michael Hampton
    Apr 5 at 18:15











  • @Michael Hampton - Added the output to my question, but I'm not sure what to look for. I did not install this OS, so it's possible it was changed manually.

    – Adam vonNieda
    Apr 5 at 18:18






  • 1





    I see nothing here that would allow incoming traffic to port 4506. Exactly how are you testing this?

    – Michael Hampton
    Apr 5 at 18:21











  • A simple "telnet <hostname> 4506" from a Windows machine

    – Adam vonNieda
    Apr 5 at 18:21











  • I've also done a tcpdump on the server to validate that I am in fact hitting that port on that server. I did see traffic over port 4506.

    – Adam vonNieda
    Apr 5 at 18:50

















2















Not sure what I've got wrong here. I don't see port 4506 open in this configuration, but I'm able to telnet to it from a remote machine on the 156.9.122 subnet. What am I doing wrong?



# firewall-cmd --list-all-zones




firewall-cmd --list-all-zones
block
 target: %%REJECT%%
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: 
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


dmz
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: ssh
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


drop
 target: DROP
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: 
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


external
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: ssh
 ports: 
 protocols: 
 masquerade: yes
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


home
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: ssh mdns samba-client dhcpv6-client
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


internal
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: ssh mdns samba-client dhcpv6-client
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


public (active)
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 156.9.122.0/24
 services: http https ntp dhcpv6-client kerberos ldaps ssh dns ldap
 ports: 443/tcp 7902/tcp 8014/tcp 7903/tcp 8089/tcp 463/tcp 7899/tcp 7898/tcp 7900/tcp 52311/udp 80/tcp 7901/tcp 1584/tcp 1585/tcp 463/udp 22/tcp
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


trusted
 target: ACCEPT
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: 
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


work
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: ssh dhcpv6-client
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules:


# iptables -nvL




Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination 
28874 7345K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
 205 36869 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 
 117 12145 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 
 112 11773 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
 21 4809 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination 
 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 
 0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 29114 packets, 7722K bytes)
 pkts bytes target prot opt in out source destination 
29114 7722K OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 

Chain FORWARD_IN_ZONES (1 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDI_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto] 

Chain FORWARD_IN_ZONES_SOURCE (1 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDI_public all -- * * 156.9.122.0/24 0.0.0.0/0 [goto] 

Chain FORWARD_OUT_ZONES (1 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDO_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto] 

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDO_public all -- * * 0.0.0.0/0 156.9.122.0/24 [goto] 

Chain FORWARD_direct (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDI_public (2 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDI_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FWDI_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FWDI_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 

Chain FWDI_public_allow (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDI_public_deny (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDI_public_log (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDO_public (2 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDO_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FWDO_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FWDO_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 

Chain FWDO_public_allow (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDO_public_deny (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDO_public_log (1 references)
 pkts bytes target prot opt in out source destination 

Chain INPUT_ZONES (1 references)
 pkts bytes target prot opt in out source destination 
 112 11773 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto] 

Chain INPUT_ZONES_SOURCE (1 references)
 pkts bytes target prot opt in out source destination 
 5 372 IN_public all -- * * 156.9.122.0/24 0.0.0.0/0 [goto] 

Chain INPUT_direct (1 references)
 pkts bytes target prot opt in out source destination 

Chain IN_public (2 references)
 pkts bytes target prot opt in out source destination 
 117 12145 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 
 3 252 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 

Chain IN_public_allow (1 references)
 pkts bytes target prot opt in out source destination 
 93 7084 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 25/min burst 100
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW
 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:88 ctstate NEW
 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:88 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:636 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 ctstate NEW
 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:389 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7902 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8014 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7903 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8089 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:463 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7899 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7898 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7900 ctstate NEW
 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:52311 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7901 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1584 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1585 ctstate NEW
 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:463 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW

Chain IN_public_deny (1 references)
 pkts bytes target prot opt in out source destination 

Chain IN_public_log (1 references)
 pkts bytes target prot opt in out source destination 

Chain OUTPUT_direct (1 references)
 pkts bytes target prot opt in out source destination





linux centos7 firewalld







share|improve this question



















  • 1





    Did someone manually alter the firewall? Check with iptables -nvL

    – Michael Hampton
    Apr 5 at 18:15











  • @Michael Hampton - Added the output to my question, but I'm not sure what to look for. I did not install this OS, so it's possible it was changed manually.

    – Adam vonNieda
    Apr 5 at 18:18






  • 1





    I see nothing here that would allow incoming traffic to port 4506. Exactly how are you testing this?

    – Michael Hampton
    Apr 5 at 18:21











  • A simple "telnet <hostname> 4506" from a Windows machine

    – Adam vonNieda
    Apr 5 at 18:21











  • I've also done a tcpdump on the server to validate that I am in fact hitting that port on that server. I did see traffic over port 4506.

    – Adam vonNieda
    Apr 5 at 18:50













2












2








2








Not sure what I've got wrong here. I don't see port 4506 open in this configuration, but I'm able to telnet to it from a remote machine on the 156.9.122 subnet. What am I doing wrong?



# firewall-cmd --list-all-zones




firewall-cmd --list-all-zones
block
 target: %%REJECT%%
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: 
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


dmz
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: ssh
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


drop
 target: DROP
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: 
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


external
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: ssh
 ports: 
 protocols: 
 masquerade: yes
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


home
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: ssh mdns samba-client dhcpv6-client
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


internal
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: ssh mdns samba-client dhcpv6-client
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


public (active)
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 156.9.122.0/24
 services: http https ntp dhcpv6-client kerberos ldaps ssh dns ldap
 ports: 443/tcp 7902/tcp 8014/tcp 7903/tcp 8089/tcp 463/tcp 7899/tcp 7898/tcp 7900/tcp 52311/udp 80/tcp 7901/tcp 1584/tcp 1585/tcp 463/udp 22/tcp
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


trusted
 target: ACCEPT
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: 
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


work
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: ssh dhcpv6-client
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules:


# iptables -nvL




Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination 
28874 7345K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
 205 36869 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 
 117 12145 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 
 112 11773 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
 21 4809 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination 
 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 
 0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 29114 packets, 7722K bytes)
 pkts bytes target prot opt in out source destination 
29114 7722K OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 

Chain FORWARD_IN_ZONES (1 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDI_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto] 

Chain FORWARD_IN_ZONES_SOURCE (1 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDI_public all -- * * 156.9.122.0/24 0.0.0.0/0 [goto] 

Chain FORWARD_OUT_ZONES (1 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDO_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto] 

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDO_public all -- * * 0.0.0.0/0 156.9.122.0/24 [goto] 

Chain FORWARD_direct (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDI_public (2 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDI_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FWDI_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FWDI_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 

Chain FWDI_public_allow (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDI_public_deny (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDI_public_log (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDO_public (2 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDO_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FWDO_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FWDO_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 

Chain FWDO_public_allow (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDO_public_deny (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDO_public_log (1 references)
 pkts bytes target prot opt in out source destination 

Chain INPUT_ZONES (1 references)
 pkts bytes target prot opt in out source destination 
 112 11773 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto] 

Chain INPUT_ZONES_SOURCE (1 references)
 pkts bytes target prot opt in out source destination 
 5 372 IN_public all -- * * 156.9.122.0/24 0.0.0.0/0 [goto] 

Chain INPUT_direct (1 references)
 pkts bytes target prot opt in out source destination 

Chain IN_public (2 references)
 pkts bytes target prot opt in out source destination 
 117 12145 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 
 3 252 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 

Chain IN_public_allow (1 references)
 pkts bytes target prot opt in out source destination 
 93 7084 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 25/min burst 100
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW
 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:88 ctstate NEW
 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:88 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:636 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 ctstate NEW
 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:389 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7902 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8014 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7903 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8089 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:463 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7899 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7898 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7900 ctstate NEW
 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:52311 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7901 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1584 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1585 ctstate NEW
 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:463 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW

Chain IN_public_deny (1 references)
 pkts bytes target prot opt in out source destination 

Chain IN_public_log (1 references)
 pkts bytes target prot opt in out source destination 

Chain OUTPUT_direct (1 references)
 pkts bytes target prot opt in out source destination





linux centos7 firewalld







share|improve this question
















Not sure what I've got wrong here. I don't see port 4506 open in this configuration, but I'm able to telnet to it from a remote machine on the 156.9.122 subnet. What am I doing wrong?



# firewall-cmd --list-all-zones




firewall-cmd --list-all-zones
block
 target: %%REJECT%%
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: 
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


dmz
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: ssh
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


drop
 target: DROP
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: 
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


external
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: ssh
 ports: 
 protocols: 
 masquerade: yes
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


home
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: ssh mdns samba-client dhcpv6-client
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


internal
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: ssh mdns samba-client dhcpv6-client
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


public (active)
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 156.9.122.0/24
 services: http https ntp dhcpv6-client kerberos ldaps ssh dns ldap
 ports: 443/tcp 7902/tcp 8014/tcp 7903/tcp 8089/tcp 463/tcp 7899/tcp 7898/tcp 7900/tcp 52311/udp 80/tcp 7901/tcp 1584/tcp 1585/tcp 463/udp 22/tcp
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


trusted
 target: ACCEPT
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: 
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules: 


work
 target: default
 icmp-block-inversion: no
 interfaces: 
 sources: 
 services: ssh dhcpv6-client
 ports: 
 protocols: 
 masquerade: no
 forward-ports: 
 source-ports: 
 icmp-blocks: 
 rich rules:


# iptables -nvL




Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination 
28874 7345K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
 205 36869 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 
 117 12145 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 
 112 11773 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
 21 4809 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination 
 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 
 0 0 FORWARD_direct all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FORWARD_IN_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FORWARD_IN_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FORWARD_OUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FORWARD_OUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 29114 packets, 7722K bytes)
 pkts bytes target prot opt in out source destination 
29114 7722K OUTPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 

Chain FORWARD_IN_ZONES (1 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDI_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto] 

Chain FORWARD_IN_ZONES_SOURCE (1 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDI_public all -- * * 156.9.122.0/24 0.0.0.0/0 [goto] 

Chain FORWARD_OUT_ZONES (1 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDO_public all -- * + 0.0.0.0/0 0.0.0.0/0 [goto] 

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDO_public all -- * * 0.0.0.0/0 156.9.122.0/24 [goto] 

Chain FORWARD_direct (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDI_public (2 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDI_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FWDI_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FWDI_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 

Chain FWDI_public_allow (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDI_public_deny (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDI_public_log (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDO_public (2 references)
 pkts bytes target prot opt in out source destination 
 0 0 FWDO_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FWDO_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 
 0 0 FWDO_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 

Chain FWDO_public_allow (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDO_public_deny (1 references)
 pkts bytes target prot opt in out source destination 

Chain FWDO_public_log (1 references)
 pkts bytes target prot opt in out source destination 

Chain INPUT_ZONES (1 references)
 pkts bytes target prot opt in out source destination 
 112 11773 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto] 

Chain INPUT_ZONES_SOURCE (1 references)
 pkts bytes target prot opt in out source destination 
 5 372 IN_public all -- * * 156.9.122.0/24 0.0.0.0/0 [goto] 

Chain INPUT_direct (1 references)
 pkts bytes target prot opt in out source destination 

Chain IN_public (2 references)
 pkts bytes target prot opt in out source destination 
 117 12145 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0 
 3 252 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 

Chain IN_public_allow (1 references)
 pkts bytes target prot opt in out source destination 
 93 7084 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 25/min burst 100
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW
 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:88 ctstate NEW
 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:88 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:636 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 ctstate NEW
 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:389 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7902 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8014 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7903 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8089 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:463 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7899 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7898 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7900 ctstate NEW
 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:52311 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:7901 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1584 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1585 ctstate NEW
 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:463 ctstate NEW
 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW

Chain IN_public_deny (1 references)
 pkts bytes target prot opt in out source destination 

Chain IN_public_log (1 references)
 pkts bytes target prot opt in out source destination 

Chain OUTPUT_direct (1 references)
 pkts bytes target prot opt in out source destination





linux centos7 firewalld




linux centos7 firewalld






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Apr 5 at 18:17







Adam vonNieda

















asked Apr 5 at 18:03









Adam vonNiedaAdam vonNieda

1136




1136







  • 1





    Did someone manually alter the firewall? Check with iptables -nvL

    – Michael Hampton
    Apr 5 at 18:15











  • @Michael Hampton - Added the output to my question, but I'm not sure what to look for. I did not install this OS, so it's possible it was changed manually.

    – Adam vonNieda
    Apr 5 at 18:18






  • 1





    I see nothing here that would allow incoming traffic to port 4506. Exactly how are you testing this?

    – Michael Hampton
    Apr 5 at 18:21











  • A simple "telnet <hostname> 4506" from a Windows machine

    – Adam vonNieda
    Apr 5 at 18:21











  • I've also done a tcpdump on the server to validate that I am in fact hitting that port on that server. I did see traffic over port 4506.

    – Adam vonNieda
    Apr 5 at 18:50












  • 1





    Did someone manually alter the firewall? Check with iptables -nvL

    – Michael Hampton
    Apr 5 at 18:15











  • @Michael Hampton - Added the output to my question, but I'm not sure what to look for. I did not install this OS, so it's possible it was changed manually.

    – Adam vonNieda
    Apr 5 at 18:18






  • 1





    I see nothing here that would allow incoming traffic to port 4506. Exactly how are you testing this?

    – Michael Hampton
    Apr 5 at 18:21











  • A simple "telnet <hostname> 4506" from a Windows machine

    – Adam vonNieda
    Apr 5 at 18:21











  • I've also done a tcpdump on the server to validate that I am in fact hitting that port on that server. I did see traffic over port 4506.

    – Adam vonNieda
    Apr 5 at 18:50







1




1





Did someone manually alter the firewall? Check with iptables -nvL

– Michael Hampton
Apr 5 at 18:15





Did someone manually alter the firewall? Check with iptables -nvL

– Michael Hampton
Apr 5 at 18:15













@Michael Hampton - Added the output to my question, but I'm not sure what to look for. I did not install this OS, so it's possible it was changed manually.

– Adam vonNieda
Apr 5 at 18:18





@Michael Hampton - Added the output to my question, but I'm not sure what to look for. I did not install this OS, so it's possible it was changed manually.

– Adam vonNieda
Apr 5 at 18:18




1




1





I see nothing here that would allow incoming traffic to port 4506. Exactly how are you testing this?

– Michael Hampton
Apr 5 at 18:21





I see nothing here that would allow incoming traffic to port 4506. Exactly how are you testing this?

– Michael Hampton
Apr 5 at 18:21













A simple "telnet <hostname> 4506" from a Windows machine

– Adam vonNieda
Apr 5 at 18:21





A simple "telnet <hostname> 4506" from a Windows machine

– Adam vonNieda
Apr 5 at 18:21













I've also done a tcpdump on the server to validate that I am in fact hitting that port on that server. I did see traffic over port 4506.

– Adam vonNieda
Apr 5 at 18:50





I've also done a tcpdump on the server to validate that I am in fact hitting that port on that server. I did see traffic over port 4506.

– Adam vonNieda
Apr 5 at 18:50










1 Answer
1






active

oldest

votes


















2














This seems to be the rule that allows such traffic:



Chain IN_public_allow (1 references)
 pkts bytes target prot opt in out source destination 
 93 7084 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 25/min burst 100


Starting from the INPUT chain:



Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination 
28874 7345K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
 205 36869 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 
 117 12145 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 
 112 11773 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0


Note INPUT_ZONES_SOURCE and INPUT_ZONES_SOURCE. INPUT_direct is empty so nothing before denied/rejected anything.



Chain INPUT_ZONES_SOURCE (1 references)
 pkts bytes target prot opt in out source destination 
 5 372 IN_public all -- * * 156.9.122.0/24 0.0.0.0/0

Chain INPUT_ZONES (1 references)
 pkts bytes target prot opt in out source destination 
 112 11773 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]


Both chains call IN_public. In this case the source is in 156.9.1220/24 so INPUT_ZONES_SOURCE is used. Had it not INPUT_ZONES would have been called with identical results. Basically INPUT_ZONES_SOURCE is doing nothing in this config but the presence of a [goto] in one could make a difference if the rules change.



Chain IN_public (2 references)
 pkts bytes target prot opt in out source destination 
 117 12145 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0


IN_public_log and IN_public_deny are empty so they do nothing. Thus IN_public_allow is reached:



Chain IN_public_allow (1 references)
 pkts bytes target prot opt in out source destination 
 93 7084 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 25/min burst 100


All IPs and all tcp ports are accepted with some rate limits. Due to INPUT_ZONES this is true for all sources, not just 156.9.122.0/24 so things seem worse than you may have thought.



Disclaimer: programmatically generated iptables rules make my eyes bleed so I could very well be wrong.






share|improve this answer























  • Thanks for the info, so do you know what I would need to do to fix it? Could it be fixed via firewall-cmd? I'm no iptables expert and agree this is spaghetti that I guess is generated via firewalld.

    – Adam vonNieda
    Apr 5 at 20:57






  • 1





    I don't know. I have never used firewalld.

    – Mark Wagner
    Apr 5 at 22:27











  • OK well in that case I think I'll probably disable firewalld and see if I can fix it with straight iptables from scratch. Appreciate the assist.

    – Adam vonNieda
    Apr 6 at 0:34






  • 1





    That doesn't look like it came from firewalld at all. Perhaps someone manually inserted it?

    – Michael Hampton
    Apr 6 at 0:52











  • @Michael - Possibly. This OS was not installed by me, and I kind of feel like my best path is to back everything out and start over. I'm comfortable with both firewalld and iptables, but I'm not an expert with either. So I'm gonna clear the iptables rules, and copy the firewalld zones from a "clean" OS and start fresh. I can handle it from there. Thanks Michael and Mark.

    – Adam vonNieda
    Apr 6 at 3:13











Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f961738%2flinux-firewalld-i-can-hit-port-4506-but-my-configuration-shouldnt-let-me%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









2














This seems to be the rule that allows such traffic:



Chain IN_public_allow (1 references)
 pkts bytes target prot opt in out source destination 
 93 7084 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 25/min burst 100


Starting from the INPUT chain:



Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination 
28874 7345K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
 205 36869 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 
 117 12145 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 
 112 11773 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0


Note INPUT_ZONES_SOURCE and INPUT_ZONES_SOURCE. INPUT_direct is empty so nothing before denied/rejected anything.



Chain INPUT_ZONES_SOURCE (1 references)
 pkts bytes target prot opt in out source destination 
 5 372 IN_public all -- * * 156.9.122.0/24 0.0.0.0/0

Chain INPUT_ZONES (1 references)
 pkts bytes target prot opt in out source destination 
 112 11773 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]


Both chains call IN_public. In this case the source is in 156.9.1220/24 so INPUT_ZONES_SOURCE is used. Had it not INPUT_ZONES would have been called with identical results. Basically INPUT_ZONES_SOURCE is doing nothing in this config but the presence of a [goto] in one could make a difference if the rules change.



Chain IN_public (2 references)
 pkts bytes target prot opt in out source destination 
 117 12145 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0


IN_public_log and IN_public_deny are empty so they do nothing. Thus IN_public_allow is reached:



Chain IN_public_allow (1 references)
 pkts bytes target prot opt in out source destination 
 93 7084 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 25/min burst 100


All IPs and all tcp ports are accepted with some rate limits. Due to INPUT_ZONES this is true for all sources, not just 156.9.122.0/24 so things seem worse than you may have thought.



Disclaimer: programmatically generated iptables rules make my eyes bleed so I could very well be wrong.






share|improve this answer























  • Thanks for the info, so do you know what I would need to do to fix it? Could it be fixed via firewall-cmd? I'm no iptables expert and agree this is spaghetti that I guess is generated via firewalld.

    – Adam vonNieda
    Apr 5 at 20:57






  • 1





    I don't know. I have never used firewalld.

    – Mark Wagner
    Apr 5 at 22:27











  • OK well in that case I think I'll probably disable firewalld and see if I can fix it with straight iptables from scratch. Appreciate the assist.

    – Adam vonNieda
    Apr 6 at 0:34






  • 1





    That doesn't look like it came from firewalld at all. Perhaps someone manually inserted it?

    – Michael Hampton
    Apr 6 at 0:52











  • @Michael - Possibly. This OS was not installed by me, and I kind of feel like my best path is to back everything out and start over. I'm comfortable with both firewalld and iptables, but I'm not an expert with either. So I'm gonna clear the iptables rules, and copy the firewalld zones from a "clean" OS and start fresh. I can handle it from there. Thanks Michael and Mark.

    – Adam vonNieda
    Apr 6 at 3:13















2














This seems to be the rule that allows such traffic:



Chain IN_public_allow (1 references)
 pkts bytes target prot opt in out source destination 
 93 7084 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 25/min burst 100


Starting from the INPUT chain:



Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination 
28874 7345K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
 205 36869 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 
 117 12145 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 
 112 11773 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0


Note INPUT_ZONES_SOURCE and INPUT_ZONES_SOURCE. INPUT_direct is empty so nothing before denied/rejected anything.



Chain INPUT_ZONES_SOURCE (1 references)
 pkts bytes target prot opt in out source destination 
 5 372 IN_public all -- * * 156.9.122.0/24 0.0.0.0/0

Chain INPUT_ZONES (1 references)
 pkts bytes target prot opt in out source destination 
 112 11773 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]


Both chains call IN_public. In this case the source is in 156.9.1220/24 so INPUT_ZONES_SOURCE is used. Had it not INPUT_ZONES would have been called with identical results. Basically INPUT_ZONES_SOURCE is doing nothing in this config but the presence of a [goto] in one could make a difference if the rules change.



Chain IN_public (2 references)
 pkts bytes target prot opt in out source destination 
 117 12145 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0


IN_public_log and IN_public_deny are empty so they do nothing. Thus IN_public_allow is reached:



Chain IN_public_allow (1 references)
 pkts bytes target prot opt in out source destination 
 93 7084 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 25/min burst 100


All IPs and all tcp ports are accepted with some rate limits. Due to INPUT_ZONES this is true for all sources, not just 156.9.122.0/24 so things seem worse than you may have thought.



Disclaimer: programmatically generated iptables rules make my eyes bleed so I could very well be wrong.






share|improve this answer























  • Thanks for the info, so do you know what I would need to do to fix it? Could it be fixed via firewall-cmd? I'm no iptables expert and agree this is spaghetti that I guess is generated via firewalld.

    – Adam vonNieda
    Apr 5 at 20:57






  • 1





    I don't know. I have never used firewalld.

    – Mark Wagner
    Apr 5 at 22:27











  • OK well in that case I think I'll probably disable firewalld and see if I can fix it with straight iptables from scratch. Appreciate the assist.

    – Adam vonNieda
    Apr 6 at 0:34






  • 1





    That doesn't look like it came from firewalld at all. Perhaps someone manually inserted it?

    – Michael Hampton
    Apr 6 at 0:52











  • @Michael - Possibly. This OS was not installed by me, and I kind of feel like my best path is to back everything out and start over. I'm comfortable with both firewalld and iptables, but I'm not an expert with either. So I'm gonna clear the iptables rules, and copy the firewalld zones from a "clean" OS and start fresh. I can handle it from there. Thanks Michael and Mark.

    – Adam vonNieda
    Apr 6 at 3:13













2












2








2







This seems to be the rule that allows such traffic:



Chain IN_public_allow (1 references)
 pkts bytes target prot opt in out source destination 
 93 7084 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 25/min burst 100


Starting from the INPUT chain:



Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination 
28874 7345K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
 205 36869 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 
 117 12145 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 
 112 11773 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0


Note INPUT_ZONES_SOURCE and INPUT_ZONES_SOURCE. INPUT_direct is empty so nothing before denied/rejected anything.



Chain INPUT_ZONES_SOURCE (1 references)
 pkts bytes target prot opt in out source destination 
 5 372 IN_public all -- * * 156.9.122.0/24 0.0.0.0/0

Chain INPUT_ZONES (1 references)
 pkts bytes target prot opt in out source destination 
 112 11773 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]


Both chains call IN_public. In this case the source is in 156.9.1220/24 so INPUT_ZONES_SOURCE is used. Had it not INPUT_ZONES would have been called with identical results. Basically INPUT_ZONES_SOURCE is doing nothing in this config but the presence of a [goto] in one could make a difference if the rules change.



Chain IN_public (2 references)
 pkts bytes target prot opt in out source destination 
 117 12145 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0


IN_public_log and IN_public_deny are empty so they do nothing. Thus IN_public_allow is reached:



Chain IN_public_allow (1 references)
 pkts bytes target prot opt in out source destination 
 93 7084 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 25/min burst 100


All IPs and all tcp ports are accepted with some rate limits. Due to INPUT_ZONES this is true for all sources, not just 156.9.122.0/24 so things seem worse than you may have thought.



Disclaimer: programmatically generated iptables rules make my eyes bleed so I could very well be wrong.






share|improve this answer













This seems to be the rule that allows such traffic:



Chain IN_public_allow (1 references)
 pkts bytes target prot opt in out source destination 
 93 7084 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 25/min burst 100


Starting from the INPUT chain:



Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination 
28874 7345K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
 205 36869 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 
 117 12145 INPUT_direct all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 INPUT_ZONES_SOURCE all -- * * 0.0.0.0/0 0.0.0.0/0 
 112 11773 INPUT_ZONES all -- * * 0.0.0.0/0 0.0.0.0/0


Note INPUT_ZONES_SOURCE and INPUT_ZONES_SOURCE. INPUT_direct is empty so nothing before denied/rejected anything.



Chain INPUT_ZONES_SOURCE (1 references)
 pkts bytes target prot opt in out source destination 
 5 372 IN_public all -- * * 156.9.122.0/24 0.0.0.0/0

Chain INPUT_ZONES (1 references)
 pkts bytes target prot opt in out source destination 
 112 11773 IN_public all -- + * 0.0.0.0/0 0.0.0.0/0 [goto]


Both chains call IN_public. In this case the source is in 156.9.1220/24 so INPUT_ZONES_SOURCE is used. Had it not INPUT_ZONES would have been called with identical results. Basically INPUT_ZONES_SOURCE is doing nothing in this config but the presence of a [goto] in one could make a difference if the rules change.



Chain IN_public (2 references)
 pkts bytes target prot opt in out source destination 
 117 12145 IN_public_log all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 IN_public_deny all -- * * 0.0.0.0/0 0.0.0.0/0 
 117 12145 IN_public_allow all -- * * 0.0.0.0/0 0.0.0.0/0


IN_public_log and IN_public_deny are empty so they do nothing. Thus IN_public_allow is reached:



Chain IN_public_allow (1 references)
 pkts bytes target prot opt in out source destination 
 93 7084 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 25/min burst 100


All IPs and all tcp ports are accepted with some rate limits. Due to INPUT_ZONES this is true for all sources, not just 156.9.122.0/24 so things seem worse than you may have thought.



Disclaimer: programmatically generated iptables rules make my eyes bleed so I could very well be wrong.







share|improve this answer












share|improve this answer



share|improve this answer










answered Apr 5 at 20:52









Mark WagnerMark Wagner

15.2k22246




15.2k22246












  • Thanks for the info, so do you know what I would need to do to fix it? Could it be fixed via firewall-cmd? I'm no iptables expert and agree this is spaghetti that I guess is generated via firewalld.

    – Adam vonNieda
    Apr 5 at 20:57






  • 1





    I don't know. I have never used firewalld.

    – Mark Wagner
    Apr 5 at 22:27











  • OK well in that case I think I'll probably disable firewalld and see if I can fix it with straight iptables from scratch. Appreciate the assist.

    – Adam vonNieda
    Apr 6 at 0:34






  • 1





    That doesn't look like it came from firewalld at all. Perhaps someone manually inserted it?

    – Michael Hampton
    Apr 6 at 0:52











  • @Michael - Possibly. This OS was not installed by me, and I kind of feel like my best path is to back everything out and start over. I'm comfortable with both firewalld and iptables, but I'm not an expert with either. So I'm gonna clear the iptables rules, and copy the firewalld zones from a "clean" OS and start fresh. I can handle it from there. Thanks Michael and Mark.

    – Adam vonNieda
    Apr 6 at 3:13

















  • Thanks for the info, so do you know what I would need to do to fix it? Could it be fixed via firewall-cmd? I'm no iptables expert and agree this is spaghetti that I guess is generated via firewalld.

    – Adam vonNieda
    Apr 5 at 20:57






  • 1





    I don't know. I have never used firewalld.

    – Mark Wagner
    Apr 5 at 22:27











  • OK well in that case I think I'll probably disable firewalld and see if I can fix it with straight iptables from scratch. Appreciate the assist.

    – Adam vonNieda
    Apr 6 at 0:34






  • 1





    That doesn't look like it came from firewalld at all. Perhaps someone manually inserted it?

    – Michael Hampton
    Apr 6 at 0:52











  • @Michael - Possibly. This OS was not installed by me, and I kind of feel like my best path is to back everything out and start over. I'm comfortable with both firewalld and iptables, but I'm not an expert with either. So I'm gonna clear the iptables rules, and copy the firewalld zones from a "clean" OS and start fresh. I can handle it from there. Thanks Michael and Mark.

    – Adam vonNieda
    Apr 6 at 3:13
















Thanks for the info, so do you know what I would need to do to fix it? Could it be fixed via firewall-cmd? I'm no iptables expert and agree this is spaghetti that I guess is generated via firewalld.

– Adam vonNieda
Apr 5 at 20:57





Thanks for the info, so do you know what I would need to do to fix it? Could it be fixed via firewall-cmd? I'm no iptables expert and agree this is spaghetti that I guess is generated via firewalld.

– Adam vonNieda
Apr 5 at 20:57




1




1





I don't know. I have never used firewalld.

– Mark Wagner
Apr 5 at 22:27





I don't know. I have never used firewalld.

– Mark Wagner
Apr 5 at 22:27













OK well in that case I think I'll probably disable firewalld and see if I can fix it with straight iptables from scratch. Appreciate the assist.

– Adam vonNieda
Apr 6 at 0:34





OK well in that case I think I'll probably disable firewalld and see if I can fix it with straight iptables from scratch. Appreciate the assist.

– Adam vonNieda
Apr 6 at 0:34




1




1





That doesn't look like it came from firewalld at all. Perhaps someone manually inserted it?

– Michael Hampton
Apr 6 at 0:52





That doesn't look like it came from firewalld at all. Perhaps someone manually inserted it?

– Michael Hampton
Apr 6 at 0:52













@Michael - Possibly. This OS was not installed by me, and I kind of feel like my best path is to back everything out and start over. I'm comfortable with both firewalld and iptables, but I'm not an expert with either. So I'm gonna clear the iptables rules, and copy the firewalld zones from a "clean" OS and start fresh. I can handle it from there. Thanks Michael and Mark.

– Adam vonNieda
Apr 6 at 3:13





@Michael - Possibly. This OS was not installed by me, and I kind of feel like my best path is to back everything out and start over. I'm comfortable with both firewalld and iptables, but I'm not an expert with either. So I'm gonna clear the iptables rules, and copy the firewalld zones from a "clean" OS and start fresh. I can handle it from there. Thanks Michael and Mark.

– Adam vonNieda
Apr 6 at 3:13

















draft saved

draft discarded
















































Thanks for contributing an answer to Server Fault!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f961738%2flinux-firewalld-i-can-hit-port-4506-but-my-configuration-shouldnt-let-me%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Club Baloncesto Breogán Índice Historia | Pavillón | Nome | O Breogán na cultura popular | Xogadores | Adestradores | Presidentes | Palmarés | Historial | Líderes | Notas | Véxase tamén | Menú de navegacióncbbreogan.galCadroGuía oficial da ACB 2009-10, páxina 201Guía oficial ACB 1992, páxina 183. Editorial DB.É de 6.500 espectadores sentados axeitándose á última normativa"Estudiantes Junior, entre as mellores canteiras"o orixinalHemeroteca El Mundo Deportivo, 16 setembro de 1970, páxina 12Historia do BreogánAlfredo Pérez, o último canoneiroHistoria C.B. BreogánHemeroteca de El Mundo DeportivoJimmy Wright, norteamericano do Breogán deixará Lugo por ameazas de morteResultados de Breogán en 1986-87Resultados de Breogán en 1990-91Ficha de Velimir Perasović en acb.comResultados de Breogán en 1994-95Breogán arrasa al Barça. "El Mundo Deportivo", 27 de setembro de 1999, páxina 58CB Breogán - FC BarcelonaA FEB invita a participar nunha nova Liga EuropeaCharlie Bell na prensa estatalMáximos anotadores 2005Tempada 2005-06 : Tódolos Xogadores da Xornada""Non quero pensar nunha man negra, mais pregúntome que está a pasar""o orixinalRaúl López, orgulloso dos xogadores, presume da boa saúde económica do BreogánJulio González confirma que cesa como presidente del BreogánHomenaxe a Lisardo GómezA tempada do rexurdimento celesteEntrevista a Lisardo GómezEl COB dinamita el Pazo para forzar el quinto (69-73)Cafés Candelas, patrocinador del CB Breogán"Suso Lázare, novo presidente do Breogán"o orixinalCafés Candelas Breogán firma el mayor triunfo de la historiaEl Breogán realizará 17 homenajes por su cincuenta aniversario"O Breogán honra ao seu fundador e primeiro presidente"o orixinalMiguel Giao recibiu a homenaxe do PazoHomenaxe aos primeiros gladiadores celestesO home que nos amosa como ver o Breo co corazónTita Franco será homenaxeada polos #50anosdeBreoJulio Vila recibirá unha homenaxe in memoriam polos #50anosdeBreo"O Breogán homenaxeará aos seus aboados máis veteráns"Pechada ovación a «Capi» Sanmartín e Ricardo «Corazón de González»Homenaxe por décadas de informaciónPaco García volve ao Pazo con motivo do 50 aniversario"Resultados y clasificaciones""O Cafés Candelas Breogán, campión da Copa Princesa""O Cafés Candelas Breogán, equipo ACB"C.B. Breogán"Proxecto social"o orixinal"Centros asociados"o orixinalFicha en imdb.comMario Camus trata la recuperación del amor en 'La vieja música', su última película"Páxina web oficial""Club Baloncesto Breogán""C. B. Breogán S.A.D."eehttp://www.fegaba.com

Image
Barça LassaBAXI ManresaCafés Candelas BreogánDelteco GBCDivina Seguros JoventutHerbalife Gran CanariaIberostar TenerifeKirolbet BaskoniaMonbus ObradoiroMontakit FuenlabradaMoraBanc AndorraMovistar EstudiantesReal MadridSan Pablo BurgosTecnyconta ZaragozaUCAM MurciaUnicajaValencia Basket Club Baloncesto Breogán baloncestoLugoGalicia1966JuanJosé Ramón Varela Portasmáxima categoría1970competicións europeasLiga ACBPavillón MunicipalPazo dos DeportesJesús Lázareliga EBAClub Estudiantes1965Lugobaloncestosegunda divisiónJosé RamónJuan Varela-Portas y Pardo1966Celestino Fernández de la Vega196869primeira divisiónZaragozaprimeira divisiónReal MadridJoventutEstudiantes19701971máxima categoría estatal11 de outubro1970Palacio dos DeportesLugoTenerifeMadridReal MadridAlfredo PérezBreogán19711972TenerifeMadridvascocatalánAlfredo PérezespañolMadridLugoManresa La Casera19741975As...
Read more

Vilaño, A Laracha Índice Patrimonio | Lugares e parroquias | Véxase tamén | Menú de navegación43°14′52″N 8°36′03″O / 43.24775, -8.60070

Image
Parroquias da LarachaParroquias de Galicia baixo a advocación de Santiago o Maior coruñésLarachacomarca de BergantiñosIGE20131999castro de Montesclarospoboado castrexoidade de ferroromanización de Galiciamiliariopazo de Montesclarosséculo XIXAmboadeA AreosaA BarreiraBos AiresA BoticaAs Brañas da ViñaAs BrañasBusteloOs CanedosFerreirosAs FervenzasA Fonte da CanleO FormigueiroFornelosA FragaFragundeGravidoA LamelaMarfuloOs MeánsMontes ClarosA PanelaO PazoQuintánsRibelaSamiroO SeixoA TelleiraVilañoVilanovaA ViñaVista AlegreCabovilaño (San Román)Caión (Santa María do Socorro)Coiro (San Xián)Erboedo (Santa María)Golmar (San Bieito)Lemaio (Santa Mariña)Lendo (San Xián)Lestón (San Martiño)Montemaior (Santa María Madanela)Soandres (San Pedro)Soutullo (Santa María)Torás (Santa María)Vilaño (Santiago) Vilaño, A Laracha Na Galipedia, a Wi...
Read more

Cegueira Índice Epidemioloxía | Deficiencia visual | Tipos de cegueira | Principais causas de cegueira | Tratamento | Técnicas de adaptación e axudas | Vida dos cegos | Primeiros auxilios | Crenzas respecto das persoas cegas | Crenzas das persoas cegas | O neno deficiente visual | Aspectos psicolóxicos da cegueira | Notas | Véxase tamén | Menú de navegación54.054.154.436928256blindnessDicionario da Real Academia GalegaPortal das Palabras"International Standards: Visual Standards — Aspects and Ranges of Vision Loss with Emphasis on Population Surveys.""Visual impairment and blindness""Presentan un plan para previr a cegueira"o orixinalACCDV Associació Catalana de Cecs i Disminuïts Visuals - PMFTrachoma"Effect of gene therapy on visual function in Leber's congenital amaurosis"1844137110.1056/NEJMoa0802268Cans guía - os mellores amigos dos cegosArquivadoEscola de cans guía para cegos en Mortágua, PortugalArquivado"Tecnología para ciegos y deficientes visuales. Recopilación de recursos gratuitos en la Red""Colorino""‘COL.diesis’, escuchar los sonidos del color""COL.diesis: Transforming Colour into Melody and Implementing the Result in a Colour Sensor Device"o orixinal"Sistema de desarrollo de sinestesia color-sonido para invidentes utilizando un protocolo de audio""Enseñanza táctil - geometría y color. Juegos didácticos para niños ciegos y videntes""Sistema Constanz"L'ocupació laboral dels cecs a l'Estat espanyol està pràcticament equiparada a la de les persones amb visió, entrevista amb Pedro ZuritaONCE (Organización Nacional de Cegos de España)Prevención da cegueiraDescrición de deficiencias visuais (Disc@pnet)Braillín, un boneco atractivo para calquera neno, con ou sen discapacidade, que permite familiarizarse co sistema de escritura e lectura brailleAxudas Técnicas36838ID00897494007150-90057129528256DOID:1432HP:0000618D001766C10.597.751.941.162C97109C0155020

Image
OftalmoloxíaDiscapacidade sentidovistaNorteaméricaEuropaollopaíses en vías de desenvolvementopaíses desenvolvidos2014Organización Mundial da SaúdeGaliciaretinopatía diabéticaglaucomaresto visualagudeza visualcampo visualterapia xénicaretinavirus do arrefriado comúncanadestradoséculo XIXLouis Brailleteclado brailleescáneresrecoñecemento óptico de caractereslectores de pantallacorsinestesiafrauta doceamareloclarineteazultamboresvermellopianoverdeSistema Constanzsemáforocans guíaBrailletactosoftwaretactoeuroAvuiséculo XXUnión SoviéticaFranciaItaliaInglaterraNataciónatletismociclismojudoesquífútbol salamontañismoxadrezgoalballsociedademúsicosindixentesprofetassabiosoídotactomúsicarisatactooídolinguaxePiaget (function()var node=document.getElementById("mw-dismissablenotice-anonplace");if(node)node.outerHTML="u003Cdiv class="mw-dismissable-notice"u0...
Read more