Open port firewalld

Hi Fellers
I have a weird situation at firewall.
I have been deploy a mariadb container on server.


$ docker ps
d65e7fd9a65d | mariadb:latest | "docker-entrypoint.s…"  | 3 months ago  |  Up 6 weeks  |   0.0.0.0:3306->3306/tcp  |   mysql

As shown it is reachable from outside of sever.


$ nmap -Pn -p3000-4000 [SERVER IP ADDRESS]

PORT     STATE SERVICE 
3306/tcp open  mysql


but when i check yast firewall, there is not such opened port in there but my application can connect to db with server ip address and port 3306.


$ firewall-cmd --list-services  
ssh dhcpv6-client http


I want to restrict access to database for just one ip address can access to it.

Can you explain why firewall could not see this port?

I am not sure I understand the question. There are multiple ways to allow port; show “iptables -L -n -v” output that will list current rules as used by kernel.

Sorry because I didn’t explain very well.
Apparently this port was opened without any firewall config and every one on Internet can see it.

The result is so long, so I pasted just important parts.
Two parts got my attention:


$ iptables -n -L -v
.....

Chain DOCKER (4 references)
 pkts bytes target     prot opt in     out     source               destination          
   10   544 ACCEPT     tcp  --  !br-97da32208e84 br-97da32208e84  0.0.0.0/0            172.20.0.3           tcp dpt:3306
    6   260 ACCEPT     tcp  --  !br-97da32208e84 br-97da32208e84  0.0.0.0/0            172.20.0.2           tcp dpt:443
  335 19756 ACCEPT     tcp  --  !br-97da32208e84 br-97da32208e84  0.0.0.0/0            172.20.0.2           tcp dpt:80

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
 pkts bytes target     prot opt in     out    

.....

Chain IN_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination          
 2988  178K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 ctstate NEW
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 ctstate NEW
......

My questions are:

  1. Isn’t the firewalld only responsible for the all ports , also docker services ports?
  2. I want to set a rule on port 3306 that just a my application that served on another server could connect to db.

No. firewalld is just frontend to kernel. It interprets its configuration and translates it into kernel iptables configuration. Any other program can independently change current kernel iptables configuration. Of course, unless they coordinate results are really unpredictable, but there is not much that can be done here (nftables may bring some improvements).

  1. I want to set a rule on port 3306 that just a my application that served on another server could connect to db.