Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: firewalld - services on specific port

  1. #1
    Join Date
    Jun 2008
    Location
    South-West France
    Posts
    1,026

    Default firewalld - services on specific port

    Hello.

    I can't use telnet on the configured port.

    I have copied /usr/lib/firewalld/services/ssh.xml and /usr/lib/firewalld/services/telnet.xml to /etc/firewalld
    /etc/firewalld/services/ssh.xml is modified to use tcp port 12345
    /etc/ssh/ssh_config is modified to use port 12345
    /etc/ssh/sshd_config is modified to use port 12345
    /etc/firewalld/services/telnet.xml is modified to use port 12346

    firewalld has been restarted

    I can ssh between computers on port 12345 (that is correct)
    I can't ssh using port 12346 (that is correct)

    I cannot telnet on port 12346 (that is incorrect)
    But I can telnet on port 12345 (that is incorrect)

    Code:
    user@ASUS:~> telnet 192.168.130.123 12346
    Trying 192.168.130.123...
    telnet: connect to address 192.168.130.123: Connection refused
    user_install@ASUS-G75VW-JC:~>
    Code:
    user@ASUS:~> telnet 192.168.130.123 12345
    Trying 192.168.130.123...
    Connected to 192.168.130.123.
    Escape character is '^]'.
    SSH-2.0-OpenSSH_7.6
    ^]
    telnet> quit
    Connection closed.
    Code:
    user@ASUS:~> firewall-cmd --list-all
    internal (active)
      target: default
      icmp-block-inversion: no
      interfaces: gvw_eth0
      sources: 
      services: ssh mdns minidlna telnet
      ports: 
      protocols: 
      masquerade: no
      forward-ports: 
      source-ports: 
      icmp-blocks: 
      rich rules:
    Any help is welcome
    Thanks for helping. JCD
    __________

    server leap 15-- ASUS g75vw KDE leap 42.3 -- ASUS g750JZ KDE leap 42.3 -- acer aspire s13 win 10 home -- HP Omen win 10 home - scan EPSON V500 - Brother HL2250DN - Samsung CLP-325W

  2. #2
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    20,193
    Blog Entries
    1

    Default Re: firewalld - services on specific port

    Please share your running firewall rules as reported by
    Code:
    iptables -S
    openSUSE Leap 15.0; KDE Plasma 5

  3. #3
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    20,193
    Blog Entries
    1

    Default Re: firewalld - services on specific port

    Also, your listening services...
    Code:
    sudo lsof -i -n -P
    openSUSE Leap 15.0; KDE Plasma 5

  4. #4
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,370
    Blog Entries
    3

    Default Re: firewalld - services on specific port

    Quote Originally Posted by jcdole View Post
    Code:
    user@ASUS:~> telnet 192.168.130.123 12346
    Trying 192.168.130.123...
    telnet: connect to address 192.168.130.123: Connection refused
    user_install@ASUS-G75VW-JC:~>
    That's not a firewall problem. The "Connection refused" indicates that you do not have a server listening on port 12346. If the firewall were blocking access, you would instead get a timeout.

    Code:
    user@ASUS:~> telnet 192.168.130.123 12345
    Trying 192.168.130.123...
    Connected to 192.168.130.123.
    Escape character is '^]'.
    SSH-2.0-OpenSSH_7.6
    ^]
    telnet> quit
    Connection closed.
    That's working normally. You have "sshd" listening on port 12345, and "telnet" connected to that port. By design, "telnet" can connect to any port. It won't be able to run a full telnet session on port 12345, because you do not have a telnet service listening the port. Instead, you have an "sshd" service. So "telnet" gets the banner message, after which you quit. Since the port is open for "ssh", that allows "telnet" to connect.

    It looks to me as if everything is working as you wanted, except that you have not started a telnetd listen process on port 12346.
    openSUSE Leap 15.1; KDE Plasma 5;

  5. #5
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    20,193
    Blog Entries
    1

    Default Re: firewalld - services on specific port

    Quote Originally Posted by nrickert View Post
    It looks to me as if everything is working as you wanted, except that you have not started a telnetd listen process on port 12346.
    Yes, the lsof output will confirm that.
    openSUSE Leap 15.0; KDE Plasma 5

  6. #6
    Join Date
    Jun 2008
    Location
    South-West France
    Posts
    1,026

    Default Re: firewalld - services on specific port

    Quote Originally Posted by deano_ferrari View Post
    Yes, the lsof output will confirm that.

    Code:
    user_install@ASUS-G75VW-JC:~> sudo lsof -i -n -P
    COMMAND    PID         USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
    wickedd-d 1561         root    8u  IPv4  32113      0t0  UDP *:68 
    avahi-dae 1595        avahi   11u  IPv4  26903      0t0  UDP *:5353 
    avahi-dae 1595        avahi   12u  IPv4  24114      0t0  UDP *:43347 
    cupsd     1596         root    7u  IPv4  31540      0t0  TCP 127.0.0.1:631 (LISTEN)
    chronyd   2541       chrony    1u  IPv4  24552      0t0  UDP 127.0.0.1:323 
    sshd      2598         root    3u  IPv4  36066      0t0  TCP *:12345 (LISTEN)
    minidlnad 2611         root    6u  IPv4  36073      0t0  UDP 239.255.255.250:1900 
    minidlnad 2611         root    7u  IPv4  36074      0t0  TCP *:12348 (LISTEN)
    minidlnad 2611         root   12u  IPv4  37046      0t0  UDP 192.168.130.80:51364 
    kdeconnec 3051 user_install   12u  IPv4  34452      0t0  UDP *:1716 
    kdeconnec 3051 user_install   13u  IPv4  38539      0t0  TCP *:1716 (LISTEN)
    kdeconnec 3327         root   11u  IPv4  36610      0t0  UDP *:1716 
    kdeconnec 3327         root   12u  IPv4  36614      0t0  TCP *:1717 (LISTEN)
    firefox   4719 user_install   69u  IPv4  52643      0t0  TCP 192.168.130.80:32866->172.217.19.35:443 (ESTABLISHED)
    firefox   .......................
    firefox   .......................
    firefox   .......................
    firefox   4719 user_install  144u  IPv4  55333      0t0  TCP 192.168.130.80:48154->2.22.129.52:443 (ESTABLISHED)
    telnet    4920 user_install    3u  IPv4  55425      0t0  TCP 192.168.130.80:44860->192.168.130.123:12345 (ESTABLISHED)
    Thanks for helping. JCD
    __________

    server leap 15-- ASUS g75vw KDE leap 42.3 -- ASUS g750JZ KDE leap 42.3 -- acer aspire s13 win 10 home -- HP Omen win 10 home - scan EPSON V500 - Brother HL2250DN - Samsung CLP-325W

  7. #7
    Join Date
    Jun 2008
    Location
    South-West France
    Posts
    1,026

    Default Re: firewalld - services on specific port

    Quote Originally Posted by nrickert View Post
    ..........
    .........
    By design, "telnet" can connect to any port. It won't be able to run a full telnet session on port 12345, because you do not have a telnet service listening the port. Instead, you have an "sshd" service. So "telnet" gets the banner message, after which you quit. Since the port is open for "ssh", that allows "telnet" to connect.
    ............
    I did not know that.

    So in firewalld the telnet xml file is more for the telnet-server service.
    So as I don't need a telnet server, I have nothing to configure the telnet client.
    Isn't it ?
    Thanks for helping. JCD
    __________

    server leap 15-- ASUS g75vw KDE leap 42.3 -- ASUS g750JZ KDE leap 42.3 -- acer aspire s13 win 10 home -- HP Omen win 10 home - scan EPSON V500 - Brother HL2250DN - Samsung CLP-325W

  8. #8
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    20,193
    Blog Entries
    1

    Default Re: firewalld - services on specific port

    So you have sshd listening on port 12345
    Code:
    sshd      2598         root    3u  IPv4  36066      0t0  TCP *:12345 (LISTEN)
    That explains your telnet probe results to this port. Also, nothing is listening on port 12346 so that explains the 'Connection Refused' result.
    openSUSE Leap 15.0; KDE Plasma 5

  9. #9
    Join Date
    Jun 2008
    Location
    South-West France
    Posts
    1,026

    Default Re: firewalld - services on specific port

    Now I try to forbid telnet with this command to 2 computers :
    Code:
    firewall-cmd  --permanent --remove-service=telnet
    After reloading I can still telnet between the 2 computers.

    Is it possible to block telnet service ?
    Thanks for helping. JCD
    __________

    server leap 15-- ASUS g75vw KDE leap 42.3 -- ASUS g750JZ KDE leap 42.3 -- acer aspire s13 win 10 home -- HP Omen win 10 home - scan EPSON V500 - Brother HL2250DN - Samsung CLP-325W

  10. #10
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,370
    Blog Entries
    3

    Default Re: firewalld - services on specific port

    Quote Originally Posted by jcdole View Post
    So as I don't need a telnet server, I have nothing to configure the telnet client.
    Isn't it ?
    Right. There's nothing to do there.

    You probably don't even have "telnet-server" installed. I don't think it is part of a standard install.

    Just think of the telnet program as a useful all-purpose tcp client for testing connections to various ports. That's how I use it. And there's nothing to firewall there.
    openSUSE Leap 15.1; KDE Plasma 5;

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •