I’ve got a server - running Leap 15.3 - with three network cards - eth0, eth1, and eth2 - where eth0 and eth1 are in a bond (bond0). Both bond0 and eth2 have fixed IP addresses, 10.0.0.20/24 and 10.0.0.21/24, respectively. All interfaces are covered by the same active zone in the firewall, public. If I look at which ports are open, I get:
$ nmap -r 10.0.0.21
Starting Nmap 7.80 ( https://nmap.org ) at 2021-12-15 10:58 CET
Nmap scan report for 10.0.0.21
Host is up (0.58s latency).
Not shown: 995 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp closed http
443/tcp closed https
3000/tcp open ppp
9080/tcp open glrpc
Nmap done: 1 IP address (1 host up) scanned in 69.54 seconds
$ nmap -r 10.0.0.20
Starting Nmap 7.80 ( https://nmap.org ) at 2021-12-15 11:00 CET
Nmap scan report for 10.0.0.20
Host is up (0.0031s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 0.17 seconds
Why are there different ports open on the two interfaces when they are covered by the same zone?
For info:
> sudo firewall-cmd --state
running
> sudo firewall-cmd --check-config
success
> sudo firewall-cmd --get-active-zones
docker
interfaces: docker0
public
interfaces: eth0 eth1 eth2 bond0
> sudo firewall-cmd --info-zone=public
public (active)
target: default
icmp-block-inversion: no
interfaces: bond0 eth0 eth1 eth2
sources:
services: grafana http https ssh
ports: 3100/tcp 3100/udp 9080/tcp 9080/udp 3000/tcp 3000/udp
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
> ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master bond0 state UP group default qlen 1000
link/ether e8:48:b8:9a:c7:3a brd ff:ff:ff:ff:ff:ff
altname enp6s0
3: eth1: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master bond0 state UP group default qlen 1000
link/ether e8:48:b8:9a:c7:3a brd ff:ff:ff:ff:ff:ff
altname enp7s0
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 18:c0:4d:6f:b7:e0 brd ff:ff:ff:ff:ff:ff
altname enp8s0
inet 10.0.0.21/24 brd 10.0.0.255 scope global eth2
valid_lft forever preferred_lft forever
inet6 fe80::1ac0:4dff:fe6f:b7e0/64 scope link
valid_lft forever preferred_lft forever
5: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether e8:48:b8:9a:c7:3a brd ff:ff:ff:ff:ff:ff
inet6 fe80::ea48:b8ff:fe9a:c73a/64 scope link
valid_lft forever preferred_lft forever
The configuration looks like this:
> sudo wicked show-config
[sudo] password for root:
<interface origin="compat:suse:/etc/sysconfig/network/ifcfg-lo">
<name>lo</name>
<control>
<mode>boot</mode>
<boot-stage>localfs</boot-stage>
<persistent>true</persistent>
</control>
<link/>
<ipv4>
<enabled>true</enabled>
<forwarding>false</forwarding>
</ipv4>
<ipv4:static>
<address>
<local>127.0.0.1/8</local>
</address>
</ipv4:static>
<ipv6>
<enabled>true</enabled>
<forwarding>false</forwarding>
<privacy>prefer-public</privacy>
<accept-redirects>false</accept-redirects>
</ipv6>
<ipv6:static>
<address>
<local>::1/128</local>
</address>
</ipv6:static>
</interface>
<interface origin="compat:suse:/etc/sysconfig/network/ifcfg-bond0">
<name>bond0</name>
<control>
<mode>boot</mode>
</control>
<firewall/>
<bond>
<mode>active-backup</mode>
<miimon>
<frequency>100</frequency>
<carrier-detect>netif</carrier-detect>
</miimon>
<slaves>
<slave>
<device>eth0</device>
</slave>
<slave>
<device>eth1</device>
</slave>
</slaves>
</bond>
<link/>
<ipv4>
<enabled>true</enabled>
<forwarding>false</forwarding>
<arp-verify>true</arp-verify>
</ipv4>
<ipv4:static>
<address>
<local>10.0.0.20/24</local>
</address>
<route>
<nexthop>
<gateway>10.0.0.1</gateway>
</nexthop>
</route>
</ipv4:static>
<ipv6>
<enabled>true</enabled>
<forwarding>false</forwarding>
<privacy>prefer-public</privacy>
<accept-redirects>false</accept-redirects>
</ipv6>
</interface>
<interface origin="compat:suse:/etc/sysconfig/network/ifcfg-eth0">
<name>eth0</name>
<control>
<mode>hotplug</mode>
</control>
<firewall/>
<link>
<master>bond0</master>
</link>
<ipv4>
<enabled>false</enabled>
</ipv4>
<ipv6>
<enabled>false</enabled>
</ipv6>
</interface>
<interface origin="compat:suse:/etc/sysconfig/network/ifcfg-eth1">
<name>eth1</name>
<control>
<mode>hotplug</mode>
</control>
<firewall/>
<link>
<master>bond0</master>
</link>
<ipv4>
<enabled>false</enabled>
</ipv4>
<ipv6>
<enabled>false</enabled>
</ipv6>
</interface>
<interface origin="compat:suse:/etc/sysconfig/network/ifcfg-eth2">
<name>eth2</name>
<control>
<mode>boot</mode>
</control>
<firewall/>
<link>
<mtu>1500</mtu>
</link>
<ipv4>
<enabled>true</enabled>
<forwarding>false</forwarding>
<arp-verify>true</arp-verify>
</ipv4>
<ipv4:static>
<address>
<local>10.0.0.21/24</local>
</address>
</ipv4:static>
<ipv6>
<enabled>true</enabled>
<forwarding>false</forwarding>
<privacy>prefer-public</privacy>
<accept-redirects>false</accept-redirects>
</ipv6>
</interface>