problem of firewall

Hello,

I would like to open the TCP port 27008 in my LEAP 15.1. I used the following command line:


> firewall-cmd --zone=public --add-port=27008/tcp --permanent
> firewall-cmd --reload


Then I checked whether 27008 was really open or not with command line:


> firewall-cmd --list-services
ssh dhcpv6-client tftp tlwebaccess tlwebadm tlmaster tlagent

> /usr/sbin/iptables -nvL | grep 27008
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:27008 ctstate NEW
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:27008 ctstate NEW

> nc -v 192.168.16.31 27008
nc: connect to 192.168.16.31 port 27008 (tcp) failed: Connection refused



It seems that the port 27008 is still closed. I am just wondering how shall we resolve this issue?

Thanks a lot

Albert

“Connection refused” typically means that there isn’t any process listening on that port.

If the firewall were blocking it, you should get a connection timeout, instead of “connection refused”.

For port configuration, the applicable command is

firewall-cmd --list-ports
> nc -v 192.168.16.31 27008
nc: connect to 192.168.16.31 port 27008 (tcp) failed: Connection refused

It seems that the port 27008 is still closed. I am just wondering how shall we resolve this issue?

Thanks a lot

Albert

Why do you think it’s closed? Do you have an active process listening on that port?

sudo lsof -i :27008

Ports are opened either by adding service (which includes all ports in service definition) or by adding explicit port numbers. Do not mix “ports” as zone configuration element and “ports” as colloquial for opened TCP/UDP ports. I am not aware of any way to list currently open TCP/UDP ports as super-set of services+ports in active zone using firewalld commands.

The OP has added a port explicitly. Therefore and I’ll post again the command is…

firewall-cmd --list-ports

I am not aware of any way to list currently open TCP/UDP ports as super-set of services+ports in active zone using firewalld commands.

firewall-cmd --list-all

Example:

# firewall-cmd --zone=public --add-port=27008/tcp --permanent
success
# firewall-cmd --reload
success
# firewall-cmd --list-ports
27008/tcp

Hello,
here is my output for related command line:



>firewall-cmd --zone=public --add-port=27008/tcp --permanent
Warning: ALREADY_ENABLED: 27008:tcpsuccess

> firewall-cmd --reload
success

>firewall-cmd --list-ports27008/tcp



However, when I run the following command, port 27008 is still refused to connect:


nc -v cudaA 27008
nc: connect to cudaA port 27008 (tcp) failed: Connection refused
nc: connect to cudaA port 27008 (tcp) failed: Connection refused



I am stacking here.

Which process is listening on that port? Can you run the command given in post #4?

Did you read @nrickert’s post #2 above?

Until now you provided no information if a program is listening on that port. E.g. as root:

lsof -iTCP -sTCP:LISTEN

here is output for more information


>sudo lsof -i :27008
COMMAND  PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
lmgrd   5588 albert    0u  IPv6  52589      0t0  TCP *:27008 (LISTEN)
lmgrd   5588 albert    3u  IPv6  52601      0t0  TCP localhost:27008->localhost:53542 (ESTABLISHED)
SCHROD  5590 albert    0u  IPv6  52589      0t0  TCP *:27008 (LISTEN)
SCHROD  5590 albert    5u  IPv4  31141      0t0  TCP localhost:53542->localhost:27008 (ESTABLISHED)

>lsof -iTCP -sTCP:LISTEN
COMMAND    PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
cupsd     1742   root    6u  IPv6   2302      0t0  TCP localhost:ipp (LISTEN)
cupsd     1742   root    7u  IPv4   2303      0t0  TCP localhost:ipp (LISTEN)
sshd      2567   root    3u  IPv4  74832      0t0  TCP *:ssh (LISTEN)
sshd      2567   root    4u  IPv6  74834      0t0  TCP *:ssh (LISTEN)
master    2882   root   13u  IPv4   1437      0t0  TCP localhost:smtp (LISTEN)
master    2882   root   14u  IPv6   1438      0t0  TCP localhost:smtp (LISTEN)
jservergo 5436 albert    3u  IPv6  87036      0t0  TCP *:42151 (LISTEN)
jservergo 5436 albert    5u  IPv6  87037      0t0  TCP *:35861 (LISTEN)
jservergo 5436 albert    6u  IPv6  87038      0t0  TCP *:36581 (LISTEN)
lmgrd     5588 albert    0u  IPv6  52589      0t0  TCP *:27008 (LISTEN)
SCHROD    5590 albert    0u  IPv6  52589      0t0  TCP *:27008 (LISTEN)
SCHROD    5590 albert    3u  IPv6  52593      0t0  TCP *:53000 (LISTEN)
sshd      6300 albert   10u  IPv6  36198      0t0  TCP localhost:x11 (LISTEN)
sshd      6300 albert   11u  IPv4  36199      0t0  TCP localhost:x11 (LISTEN)





Thanks a lot

Thanks for sharing the lsof output. Remember we’re not over your shoulder to see these things for ourselves. I know nothing about lmgrd and SCHROD (other than what I could google). Is this for proprietary services, and can you get support from this party if so?

However, when I run the following command, port 27008 is still refused to connect:

nc -v cudaA 27008
nc: connect to cudaA port 27008 (tcp) failed: Connection refused
nc: connect to cudaA port 27008 (tcp) failed: Connection refused

Are you sure that using nc is a valid test for this service? For example telnet and nc will fail when probing openVPN in that way.

Hi,

SCHROD is a professional computational biology software Schrodinger. I’ve asked the supporter of Schrodinger and they told me that “nc” is proper test for this service which I have used for the testing. Unfortunately, it always failed. SCHROD is managing a server license of the computational software. All other users have to connect to the server license machine via TCP 27008 port in their client computer, otherwise the software in client machine cannot get access to the license.

Thanks again.

I may have missd if that is done above, but the ultimate test if the firewall is blocking something is of course switching it off for a test. I think everybody here is now curious if this is a firewall problem or different.

actually I have switched off the firewall just few hours ago. What’s astonished me that all ports are blocked including ssh. I tried to switched on back, but it doesn’t work. Then, I have to reinstall my SUSE OS, in which the opening port 27008 still doesn’t work…

It lists services and ports included in zone definition. It does not show which TCP/UDP ports are included in definitions of these services.

No, it shows the configured services and explicit ports (if configured). For that examine the service definitions (in /etc/firewalld/services), or via the ‘Services’ tab under firewall-config, or query a given service like this eg

sudo firewall-cmd --permanent --service=dns --get-ports

Please keep on topic with the OP, or start your own thread.

Hi, here is the output

firewall-cmd --permanent --service=dns --get-ports
53/tcp 53/udp

No, that wasn’t a request for you. It was just an example to get the ports associated with a given service.

problem resolved after executing the following command line:


sudo firewall-cmd --permanent --add-port=27008/tcp
sudo firewall-cmd --permanent --service=dns --add-port=27008/udp
sudo firewall-cmd --permanent --add-port=53000/tcp
sudo firewall-cmd --permanent --service=dns --add-port=53000/udp
sudo firewall-cmd --reload