firewall confusion - what is controlling port access?

Support for security such as Firewalls and securing linux
Post Reply
dukevn
Posts: 2
Joined: 2022/06/14 15:26:02

firewall confusion - what is controlling port access?

Post by dukevn » 2022/06/14 15:59:47

Hi everyone,

I am really confused about firewall and how to control port access. My initial thought was that it was the firewall (for eg firewalld) which will control the port access to the system. However, it seems that I was wrong. My system is CentOS 7.8

Code: Select all

$ cat /etc/redhat-release 
CentOS Linux release 7.8.2003 (Core)
and I am able to access locally from another machine in the same network using ssh

Code: Select all

[user@master:~]$ ssh 192.168.0.3
user@192.168.0.3's password: 
Last login: Wed Jun 15 05:43:32 2022 from master
[user@master3 ~]$ 
However, the firewalld service is dead at the moment

Code: Select all

[root@master3 user]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: inactive (dead) since Tue 2022-06-14 20:33:43 +07; 9h ago
     Docs: man:firewalld(1)
  Process: 29928 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=exited, status=0/SUCCESS)
 Main PID: 29928 (code=exited, status=0/SUCCESS)
and iptables is not installed

Code: Select all

# systemctl status iptables
Unit iptables.service could not be found.
SELINUX is still enforcing

Code: Select all

# cat /etc/sysconfig/selinux 
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted 
From the master machine, I tested open ports, and found out that 22 is open, and 80 is not.

Code: Select all

[user@master:~]$ telnet 192.168.0.3 80
Trying 192.168.0.3...
telnet: connect to address 192.168.0.3: Connection refused
[user@master:~]$ telnet 192.168.0.3 22
Trying 192.168.0.3...
Connected to 192.168.0.3.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.4
So my question is: if firewalld is dead, what is controlling the ports access to the machine? Why port 22 is open, and 80 is not?

Thank you,

D.

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: firewall confusion - what is controlling port access?

Post by TrevorH » 2022/06/14 16:54:28

Something has to be running and listening on port 80 in order for you to be able to access it. Is it?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: firewall confusion - what is controlling port access?

Post by jlehtone » 2022/06/15 06:22:42

"Multiple layers of defense"

A running process may listen at a port. Most of these are services. You can see who does listen what port with:

Code: Select all

sudo ss -tulpn
# and filter that to see specific port:
sudo ss -tulpn | grep ":22 "
The running services and sessions could by seen with:

Code: Select all

systemctl status
The sshd.service is installed, enabled, and started by default even with minimal install. The httpd.service is not.

The SELinux is between a process and port. SELinux can deny the process from listening a port.

When no process is listening a port (be it not started or blocked by SELinux) the kernel sends "nobody here" replies to incoming connection attempts.

That is, if those connection attempts do reach the port. The firewall is a filter that is between outside and port. Its rules determine whether the packets do reach the port at all. The default rule (in CentOS) is to block incoming packets and send "I'm not talking to you" reply. There is a specific rule by default to allow packets reach tcp/22, the port listened by sshd.

Therefore, if firewall is "down", then all packets do reach all ports, but what happens is up to who is there to reply.


PS. CentOS 7 is currently based on sources of RHEL 7.9. Both at the release of CentOS 7.9 and during the years since several security flaws have been identified and fixed. You lack all those updates since you have not done yum update.

dukevn
Posts: 2
Joined: 2022/06/14 15:26:02

Re: firewall confusion - what is controlling port access?

Post by dukevn » 2022/06/17 04:34:01

Thanks jlehtone and TrevorH, your replies really cleared up confusion for me. I did not know that there is a special rule by default to allow packets reach tcp/22 no matter firewalld is dead or active. I tried installing httpd, and tried telnet to the server with port 80. The connection was successful if firewalld was dead, and was denied when firewalld was active.

D.

User avatar
jlehtone
Posts: 4523
Joined: 2007/12/11 08:17:33
Location: Finland

Re: firewall confusion - what is controlling port access?

Post by jlehtone » 2022/06/17 06:26:41

Yes, the default configuration of firewalld.service does use zone 'public'.
The 'public' has service 'ssh'. The service 'ssh' allows traffic to port 22/tcp.
You can check that and get something like:

Code: Select all

# firewall-cmd --get-active-zones 
public
  interfaces: eno1

# firewall-cmd --info-zone=public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eno1
  sources: 
  services: dhcpv6-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	
# firewall-cmd --info-service=ssh
ssh
  ports: 22/tcp
  protocols: 
  source-ports: 
  modules: 
  destination: 
There are many predefined services, including 'http':

Code: Select all

# firewall-cmd --get-services
RH-Satellite-6 RH-Satellite-6-capsule amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius redis rpc-bind rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server

# firewall-cmd --info-service=http
http
  ports: 80/tcp
  protocols: 
  source-ports: 
  modules: 
  destination: 
Check '--add-service' from man firewall-cmd

User avatar
TrevorH
Site Admin
Posts: 33191
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: firewall confusion - what is controlling port access?

Post by TrevorH » 2022/06/17 08:33:37

I did not know that there is a special rule by default to allow packets reach tcp/22 no matter firewalld is dead or active.
There isn't. If firewalld is stopped then it takes all rules away with it. I believe there is a setting that controls whether it does so if it crashes but that's a different story.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply