Home / server / Questions / 619803
Accepted
mikemaccana
Asked: 2014-08-13 02:32:00 +0800 CST

I have added a port to the public zone in firewalld but still can't access the port

  • 772

I've been using iptables for a long time, but have never used firewalld until recently. I have enabled port 3000 TCP via firewalld with the following command:

# firewall-cmd --zone=public --add-port=3000/tcp --permanent

However I can't access the server on port 3000. From an external box: 

telnet 178.62.16.244 3000
Trying 178.62.16.244...
telnet: connect to address 178.62.16.244: Connection refused

There are no routing issues: I have a separate rule for a port forward from port 80 to port 8000 which works fine externally. My app is definitely listening on the port too:

Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name
tcp        0      0 0.0.0.0:3000            0.0.0.0:*               LISTEN      99         36797      18662/node

firewall-cmd doesn't seem to show the port either - see how ports is empty. You can see the forward rule I mentioned earlier. 

# firewall-cmd --list-all
public (default, active)
  interfaces: eth0
  sources:
  services: dhcpv6-client ssh
  ports:
  masquerade: no
  forward-ports: port=80:proto=tcp:toport=8000:toaddr=
  icmp-blocks:
  rich rules:

However I can see the rule in the XML config file:

# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="dhcpv6-client"/>
  <service name="ssh"/>
  <port protocol="tcp" port="3000"/>
  <forward-port to-port="8000" protocol="tcp" port="80"/>
</zone>

What else do I need to do to allow access to my app on port 3000?

Also: is adding access via a port the correct thing to do? Or should I make a firewalld 'service' for my app instead?

networking

4 Answers

  1. Best Answer

    Using the --permanent flag writes your changes to the persistent configuration, but not the running configuration. Run the same command again without the --permanent flag to have it take effect immediately.

    Beginning with RHEL 7.1 and current versions of Fedora, you can also copy the running configuration to the permanent configuration with:

    firewall-cmd --runtime-to-permanent
    • 12

  2. Weirdly, the rule only seemed to be written out to the config file, and not applied immediately. I had to reload the firewall: 

    firewall-cmd --reload

    After this, the rule then showed up:

    # firewall-cmd --zone=public --list-all
public (default, active)
  interfaces: eth0
  sources:
  services: dhcpv6-client ssh
  ports: 3000/tcp
  masquerade: no
  forward-ports: port=80:proto=tcp:toport=8000:toaddr=
  icmp-blocks:
  rich rules:

    The port is now accessible.

    • 5

  3. Leaving this note as my issue was not resolved till I restarted the systemctl with

    sudo systemctl restart firewalld

    I had tried all the above stuff. Rebooted the vm. I even set the rules in VNIC. But it was resolved only after restarting the service.

    Environment: Oracle Cloud Network VM: Compute Instance (Developer with Oracle Linux 8)

    • 0

  4. a restart is required to apply the changes you made

    • -3