MSemochkin asked:
Please help to understand why FirewallD allows me to connect to one port but blocks the second.
There is a Docker container with transmission:
5cf144eed6f2 maksim77/transmission "/bin/sh -c 'transmis" 14 hours ago Up 16 minutes 0.0.0.0:9091->9091/tcp, 0.0.0.0:51413->51413/tcp transmission
Both ports (9091 and 51413) are not listed in FirewallD rules:
[email protected]:maksim #firewall-cmd --list-all-zones | grep active
public (default, active)
trusted (active)
[email protected]:maksim #firewall-cmd --list-all --zone trusted
trusted (active)
interfaces: docker0
sources:
services:
ports: 4243/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[email protected]:maksim #firewall-cmd --list-all --zone public
public (default, active)
interfaces: enp9s0
sources:
services: dhcpv6-client ftp http ssh
ports: 41387/tcp 1900/udp 50213/tcp 8200/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
But! The connection is successful for port 9091 but not for port 51413. Port 51413 is available only for 127.0.0.1
My answer:
You don’t see these in firewalld because Docker opens the ports itself, outside of firewalld.
To see what Docker is doing, run:
iptables -L DOCKER
iptables -t nat -L DOCKER
Docker will open firewall ports itself for any port your containers EXPOSE
, unless you explicitly disable this. It also allows containers which need to communicate with each other to do so, so you should leave this enabled unless you really know what you’re doing.
View the full question and any other answers on Server Fault.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.