nmap and firwalld give coflicting statements

[xywojtek]

Hi everyone,

I am trying to understand what is going on with my CentOS 8 on Google Cloud Platform. The goal is to set up a VPN + Pi - Hole.

Have a look below at what nmap gives me vs firewall-cmd. Nmap says 22 and 9090 only and firewalld says that cockpit (9090) dhcpv6 (53?) ssh (22) and wireguard (51820) are active?

Now:
- cockpit does not work from the outside world, but it does work with local IP when connected through VPN.
- Wireguard VPN definitely works as I can connect to it and then open cockpit locally
- I can ping any domain from shell, but can't go "outside" when connected through VPN

So let's form a couple of questions:
1. nmap and firwalld say that 9090 is opened but can't access cockpit from the outside world, why?
2. Why nmap does not show wireguard?
3. Why I can ping anything from the sever, but my peer can't access any website when connected to that server through VPN?


# nmap local...
Starting Nmap 7.70 ( https://nmap.org ) at 2020-02-25 15:32 UTC
Nmap scan report for local... (*.*.0.19)
Host is up (0.0000080s latency).
rDNS record for *.*.0.19: ....internal
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
9090/tcp open zeus-admin

Nmap done: 1 IP address (1 host up) scanned in 1.60 seconds


# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: cockpit dhcpv6-client ssh wireguard
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:

Thank you in advance

[TrevorH]

Are you running nmap from outside the machine in question or on it? If it's on it then your requests get transparently redirected to localhost and everything is allowed.

[xywojtek]

both commands on the same machine Trev

[TrevorH]

So then it's expected. Run it from outside to get reliable results.