firewalld - services on specific port

jcdole · May 9, 2019, 11:48pm

Hello.

I can’t use telnet on the configured port.

I have copied /usr/lib/firewalld/services/ssh.xml and /usr/lib/firewalld/services/telnet.xml to /etc/firewalld
/etc/firewalld/services/ssh.xml is modified to use tcp port 12345
/etc/ssh/ssh_config is modified to use port 12345
/etc/ssh/sshd_config is modified to use port 12345
/etc/firewalld/services/telnet.xml is modified to use port 12346

firewalld has been restarted

I can ssh between computers on port 12345 (that is correct)
I can’t ssh using port 12346 (that is correct)

I cannot telnet on port 12346 (that is incorrect)
But I can telnet on port 12345 (that is incorrect)

user@ASUS:~> telnet 192.168.130.123 12346
Trying 192.168.130.123...
telnet: connect to address 192.168.130.123: Connection refused
user_install@ASUS-G75VW-JC:~>

user@ASUS:~> telnet 192.168.130.123 12345
Trying 192.168.130.123...
Connected to 192.168.130.123.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.6
^]
telnet> quit
Connection closed.

user@ASUS:~> firewall-cmd --list-all
internal (active)
  target: default
  icmp-block-inversion: no
  interfaces: gvw_eth0
  sources: 
  services: ssh mdns minidlna telnet
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

Any help is welcome

deano_ferrari · May 10, 2019, 3:51am

Please share your running firewall rules as reported by

iptables -S

deano_ferrari · May 10, 2019, 3:58am

Also, your listening services…

sudo lsof -i -n -P

nrickert · May 10, 2019, 4:22am

That’s not a firewall problem. The “Connection refused” indicates that you do not have a server listening on port 12346. If the firewall were blocking access, you would instead get a timeout.

user@ASUS:~> telnet 192.168.130.123 12345
Trying 192.168.130.123...
Connected to 192.168.130.123.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.6
^]
telnet> quit
Connection closed.

That’s working normally. You have “sshd” listening on port 12345, and “telnet” connected to that port. By design, “telnet” can connect to any port. It won’t be able to run a full telnet session on port 12345, because you do not have a telnet service listening the port. Instead, you have an “sshd” service. So “telnet” gets the banner message, after which you quit. Since the port is open for “ssh”, that allows “telnet” to connect.

It looks to me as if everything is working as you wanted, except that you have not started a telnetd listen process on port 12346.

deano_ferrari · May 10, 2019, 4:25am

Yes, the lsof output will confirm that.

jcdole · May 10, 2019, 11:45am

user_install@ASUS-G75VW-JC:~> sudo lsof -i -n -P
COMMAND    PID         USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
wickedd-d 1561         root    8u  IPv4  32113      0t0  UDP *:68 
avahi-dae 1595        avahi   11u  IPv4  26903      0t0  UDP *:5353 
avahi-dae 1595        avahi   12u  IPv4  24114      0t0  UDP *:43347 
cupsd     1596         root    7u  IPv4  31540      0t0  TCP 127.0.0.1:631 (LISTEN)
chronyd   2541       chrony    1u  IPv4  24552      0t0  UDP 127.0.0.1:323 
sshd      2598         root    3u  IPv4  36066      0t0  TCP *:12345 (LISTEN)
minidlnad 2611         root    6u  IPv4  36073      0t0  UDP 239.255.255.250:1900 
minidlnad 2611         root    7u  IPv4  36074      0t0  TCP *:12348 (LISTEN)
minidlnad 2611         root   12u  IPv4  37046      0t0  UDP 192.168.130.80:51364 
kdeconnec 3051 user_install   12u  IPv4  34452      0t0  UDP *:1716 
kdeconnec 3051 user_install   13u  IPv4  38539      0t0  TCP *:1716 (LISTEN)
kdeconnec 3327         root   11u  IPv4  36610      0t0  UDP *:1716 
kdeconnec 3327         root   12u  IPv4  36614      0t0  TCP *:1717 (LISTEN)
firefox   4719 user_install   69u  IPv4  52643      0t0  TCP 192.168.130.80:32866->172.217.19.35:443 (ESTABLISHED)
firefox   .......................
firefox   .......................
firefox   .......................
firefox   4719 user_install  144u  IPv4  55333      0t0  TCP 192.168.130.80:48154->2.22.129.52:443 (ESTABLISHED)
telnet    4920 user_install    3u  IPv4  55425      0t0  TCP 192.168.130.80:44860->192.168.130.123:12345 (ESTABLISHED)

jcdole · May 10, 2019, 11:47am

I did not know that.

So in firewalld the telnet xml file is more for the telnet-server service.
So as I don’t need a telnet server, I have nothing to configure the telnet client.
Isn’t it ?

deano_ferrari · May 10, 2019, 12:12pm

So you have sshd listening on port 12345

sshd      2598         root    3u  IPv4  36066      0t0  TCP *:12345 (LISTEN)

That explains your telnet probe results to this port. Also, nothing is listening on port 12346 so that explains the ‘Connection Refused’ result.

jcdole · May 10, 2019, 12:56pm

Now I try to forbid telnet with this command to 2 computers :

firewall-cmd  --permanent --remove-service=telnet

After reloading I can still telnet between the 2 computers.

Is it possible to block telnet service ?

nrickert · May 10, 2019, 2:28pm

Right. There’s nothing to do there.

You probably don’t even have “telnet-server” installed. I don’t think it is part of a standard install.

Just think of the telnet program as a useful all-purpose tcp client for testing connections to various ports. That’s how I use it. And there’s nothing to firewall there.

jcdole · May 10, 2019, 4:39pm

Thank you very much

jcdole · May 10, 2019, 4:42pm

Thank you very much to everybody.