Centos7: Firewalld port 80 not being blocked

Dr.Tautology

10/6/23, 2:03 AM

Why am I able to telnet to my machine on port 80 when I do not have http or port 80 opened and there are no services listening on port 80?

sudo firewall-cmd --list-all --zone=public

public (active)
  target: default
  icmp-block-inversion: no
  interfaces: em1
  sources:
  services: dhcpv6-client ssh
  ports: 12345/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

I've tried to remove the port but it says it's not in the active zone, so shouldn't my telnet connections be rejected?

sudo firewall-cmd --zone=public --remove-port=80/tcp
Warning: NOT_ENABLED: '80:tcp' not in 'public'

I've double checked and I do not have iptables service running, only firewalld is running. I'm still not understanding why iptables command exists or why the iptables file is updated with firewall-cmd commands.

I even tried the "old school" method of just dropping all incoming traffic with:

sudo iptables --policy INPUT DROP

But still telnet to port 80 comes through.

425

1 + 1

linux

firewalld

centos7

diya

10/10/23, 12:30 PM

`sudo iptables --policy INPUT DROP` this by itself doesn't actually block anything and only changes what happens last to packets that do not match any rule in the current firewall. - But please take a step back - how do you *"telnet to my machine on port 80"* ? Because you wouldn't be the first one to forget that their `host.example.com` FQDN isn't directly associated with the server itself and directs to for example a load balancer or CDN such as cloudflare... And what happens when you actually write out a HTTP request in your telnet session? Also: https://serverfault.com/a/1109720/984089

Score:0

Server

Catalin and that's it

10/10/23, 11:40 AM

First of all you need to find if there are really some services which listen in port 80. For this run, as root or with sudo:

netstat -nlp | grep :80

Second, try to list all zones to see in what zone is port 80 added:

firewall-cmd --list-all-zones

An third, in Centos 7, firewalld acts like a front-end for iptables, that's why you still have the iptables command.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Centos7: Firewalld port 80 not being blocked

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.