After reading more on the topic, it appears that this is a feature of running podman and FirewallD together.
`podman` instructs FirewallD to allow the ports whenever `podman run` command specifies a port binding with the host.
Thank you.
-- Chintan Mishra
On 16/10/22 23:51, Chintan Mishra from Rebhu wrote:
All ingress, egress traffic are allowed to an AWS EC2 using Security Groups.
The goal is to manage traffic and ports using FirewallD.
I have only allowed certain ports in FirewallD, but I can access services that belong outside the open ports.
Here is the output of publicly accessible services:
$ nmap -Pn <my-ip> Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2022-10-16 17:58 UTC Nmap scan report for ec2-<my-ip>.*.compute.amazonaws.com (<my-ip>) Host is up (0.57s latency). Not shown: 992 filtered ports PORT STATE SERVICE 22/tcp open ssh 5432/tcp open postgresql 8080/tcp open http-proxy 8081/tcp open blackice-icecap 8082/tcp open blackice-alerts 8083/tcp open us-srv 9090/tcp open zeus-admin 50000/tcp open ibm-db2
And, here is the output for services and ports opened with FirewallD
$ sudo firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: cockpit dhcpv6-client ssh ports: 8080/tcp 8081/tcp 50000/tcp 8082/tcp 9980/tcp protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
_*What is missing in this setup to prevent access to port 8083 from public internet to the EC2 instance?*_
Thank you.
-- Chintan Mishra
firewalld-users mailing list --firewalld-users@lists.fedorahosted.org To unsubscribe send an email tofirewalld-users-leave@lists.fedorahosted.org Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos... Do not reply to spam, report it:https://pagure.io/fedora-infrastructure/new_issue