All ingress, egress traffic are allowed to an AWS EC2 using Security Groups.
The goal is to manage traffic and ports using FirewallD.
I have only allowed certain ports in FirewallD, but I can access services that belong outside the open ports.
Here is the output of publicly accessible services:
$ nmap -Pn <my-ip> Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2022-10-16 17:58 UTC Nmap scan report for ec2-<my-ip>.*.compute.amazonaws.com (<my-ip>) Host is up (0.57s latency). Not shown: 992 filtered ports PORT STATE SERVICE 22/tcp open ssh 5432/tcp open postgresql 8080/tcp open http-proxy 8081/tcp open blackice-icecap 8082/tcp open blackice-alerts 8083/tcp open us-srv 9090/tcp open zeus-admin 50000/tcp open ibm-db2
And, here is the output for services and ports opened with FirewallD
$ sudo firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: cockpit dhcpv6-client ssh ports: 8080/tcp 8081/tcp 50000/tcp 8082/tcp 9980/tcp protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
_*What is missing in this setup to prevent access to port 8083 from public internet to the EC2 instance?*_
Thank you.
-- Chintan Mishra
After reading more on the topic, it appears that this is a feature of running podman and FirewallD together.
`podman` instructs FirewallD to allow the ports whenever `podman run` command specifies a port binding with the host.
Thank you.
-- Chintan Mishra
On 16/10/22 23:51, Chintan Mishra from Rebhu wrote:
All ingress, egress traffic are allowed to an AWS EC2 using Security Groups.
The goal is to manage traffic and ports using FirewallD.
I have only allowed certain ports in FirewallD, but I can access services that belong outside the open ports.
Here is the output of publicly accessible services:
$ nmap -Pn <my-ip> Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2022-10-16 17:58 UTC Nmap scan report for ec2-<my-ip>.*.compute.amazonaws.com (<my-ip>) Host is up (0.57s latency). Not shown: 992 filtered ports PORT STATE SERVICE 22/tcp open ssh 5432/tcp open postgresql 8080/tcp open http-proxy 8081/tcp open blackice-icecap 8082/tcp open blackice-alerts 8083/tcp open us-srv 9090/tcp open zeus-admin 50000/tcp open ibm-db2
And, here is the output for services and ports opened with FirewallD
$ sudo firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: cockpit dhcpv6-client ssh ports: 8080/tcp 8081/tcp 50000/tcp 8082/tcp 9980/tcp protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
_*What is missing in this setup to prevent access to port 8083 from public internet to the EC2 instance?*_
Thank you.
-- Chintan Mishra
firewalld-users mailing list --firewalld-users@lists.fedorahosted.org To unsubscribe send an email tofirewalld-users-leave@lists.fedorahosted.org Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos... Do not reply to spam, report it:https://pagure.io/fedora-infrastructure/new_issue
You are correct. podman and docker open the port for all interfaces. You need to specify the host's listening address if you want to limit the DNAT. e.g. '-p <host_addr>:<host_port>:<container_port>'
See this bug for discussion: https://github.com/firewalld/firewalld/issues/869
On Mon, Oct 17, 2022 at 12:08:13AM +0530, Chintan Mishra from Rebhu wrote:
After reading more on the topic, it appears that this is a feature of running podman and FirewallD together.
`podman` instructs FirewallD to allow the ports whenever `podman run` command specifies a port binding with the host.
Thank you.
-- Chintan Mishra
On 16/10/22 23:51, Chintan Mishra from Rebhu wrote:
All ingress, egress traffic are allowed to an AWS EC2 using Security Groups.
The goal is to manage traffic and ports using FirewallD.
I have only allowed certain ports in FirewallD, but I can access services that belong outside the open ports.
Here is the output of publicly accessible services:
$ nmap -Pn <my-ip> Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2022-10-16 17:58 UTC Nmap scan report for ec2-<my-ip>.*.compute.amazonaws.com (<my-ip>) Host is up (0.57s latency). Not shown: 992 filtered ports PORT STATE SERVICE 22/tcp open ssh 5432/tcp open postgresql 8080/tcp open http-proxy 8081/tcp open blackice-icecap 8082/tcp open blackice-alerts 8083/tcp open us-srv 9090/tcp open zeus-admin 50000/tcp open ibm-db2
And, here is the output for services and ports opened with FirewallD
$ sudo firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: cockpit dhcpv6-client ssh ports: 8080/tcp 8081/tcp 50000/tcp 8082/tcp 9980/tcp protocols: forward: yes masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
_*What is missing in this setup to prevent access to port 8083 from public internet to the EC2 instance?*_
Thank you.
-- Chintan Mishra
firewalld-users mailing list --firewalld-users@lists.fedorahosted.org To unsubscribe send an email tofirewalld-users-leave@lists.fedorahosted.org Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos... Do not reply to spam, report it:https://pagure.io/fedora-infrastructure/new_issue
firewalld-users mailing list -- firewalld-users@lists.fedorahosted.org To unsubscribe send an email to firewalld-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/firewalld-users@lists.fedorahos... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
firewalld-users@lists.fedorahosted.org