Ports are shown as openedin firewall-cmd, but nmap scans shows they are closed

Hi! I am using OpenSuse Leap 15.3, with vicibox v10. I have surfed vicidial fourms, but it seems to be an issue with OpenSuse. I have opened ports with firewall-cmd, following are the output.


vicibox10:~ # sudo firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0 home
  sources: 
  services: apache2 apache2-ssl asterisk dhcpv6-client rtp ssh
  ports: 10000-20000/udp 10000-20000/tcp 20001-25000/tcp 20001-25000/udp 5060-5062/tcp 5060-5062/udp
  protocols: 
  forward: no
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

Following is the nmap output:


vicibox10:~ # nmap -sU -p 10000 localhost
Starting Nmap 7.70 ( https://nmap.org ) at 2022-03-01 11:37 IST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000051s latency).
Other addresses for localhost (not scanned): ::1

PORT      STATE  SERVICE
10000/udp closed ndmp

Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds


As nmap scans of UDP are time consuming, hence I scan for random ports in the opened ports range.

I have been stuck with this since past 4 days.
I have to access port range 10000-20000 over WAN for RTP connection in SIP.

Any help will be appreciated.
Thanks

I did not go into the details of the above, but as I see it there are two statements:

  1. the firewall accepts traffic to a certain port;
  2. trying to access a server program using that port fails.

What I am missing is the statement (and computer prove)that there is a server program listening to that particular port.

I see three possibilities:

  1. I am missing something and should not have posted at all :shame:;
  2. you forgot to inform us about that listening program;
  3. there isn’t such a listening program.

Of course the last case would explain what you reported.

@dinstar:

What happens if, you scan the host with the Firewall from another host?

  • You’re trying to scan yourself – “localhost
    ” ain’t the network connection to other hosts …

The vicibox is using asterisk software for SIP/RTP. As far as i remember the RTP ports are opened dynamic by asterisk if requested by a SIP session according to the information provided by the embedded SIP/SDP sub protocol. Without a initiating SIP session these ports are closed. You can verify the open ports with:


# ss -anp|grep asterisk