CentOS - May 2015 - firewalld trouble opening a port

Hey all,

 I'm having a little trouble opening up a port on a C7 machine.

 Here's the default zone:

[root at appd:~] #firewall-cmd --get-default-zone
home

So I try to add the port:

[root at appd:~] #firewall-cmd --zone=home --add-port=8181/tcp
success

Then I reload firewalld:

[root at appd:~] #firewall-cmd --reload
success

Simple! That should do it. Right? Well not quite.

Cuz when I telnet to that host on that port, it's not connecting:

#telnet appd.mydomain.com 8181
Trying xx.xx.xx.xx... <---obscuring the real IP
telnet: connect to address xx.xx.xx.xx: Connection refused
telnet: Unable to connect to remote host

Yet, that port is definitely listening on the host:

[root at appd:~] #lsof -i :8181
COMMAND   PID USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
java    13423 root  333u  IPv6 3526508      0t0  TCP *:intermapper (LISTEN)


And if I stop the firewall momentarily :

I can telnet to that port from a remote location:

#telnet appd.mydomain.com 8181
Trying xx.xx.xx.xx...
Connected to appd.mydomain.com.
Escape character is '^]'.

Of course I bring up the firewall right away once I'm done testing:

[root at appd:~] #systemctl start firewalld
[root at appd:~] #systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
   Active: active (running) since Sat 2015-05-09 14:56:20 EDT; 7s ago
 Main PID: 18826 (firewalld)
   CGroup: /system.slice/firewalld.service
           ??18826 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

May 09 14:56:20 appd systemd[1]: Started firewalld - dynamic firewall
daemon.

Any ideas on what I'm doing wrong?

Thanks,
Tim
-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B

On 9 May 2015 at 14:57, Tim Dunphy <bluethundr at gmail.com> wrote:
> Hey all,
>
>  I'm having a little trouble opening up a port on a C7 machine.
>
>  Here's the default zone:
>
> [root at appd:~] #firewall-cmd --get-default-zone
> home
>
> So I try to add the port:
>
> [root at appd:~] #firewall-cmd --zone=home --add-port=8181/tcp
> success
>
> Then I reload firewalld:
>
> [root at appd:~] #firewall-cmd --reload
> success
>
> Simple! That should do it. Right? Well not quite.
>
> Cuz when I telnet to that host on that port, it's not connecting:
>
> #telnet appd.mydomain.com 8181
> Trying xx.xx.xx.xx... <---obscuring the real IP
> telnet: connect to address xx.xx.xx.xx: Connection refused
> telnet: Unable to connect to remote host
>
> Yet, that port is definitely listening on the host:
>
> [root at appd:~] #lsof -i :8181
> COMMAND   PID USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
> java    13423 root  333u  IPv6 3526508      0t0  TCP *:intermapper (LISTEN)
>
>
> And if I stop the firewall momentarily :
>
> I can telnet to that port from a remote location:
>
> #telnet appd.mydomain.com 8181
> Trying xx.xx.xx.xx...
> Connected to appd.mydomain.com.
> Escape character is '^]'.
>
> Of course I bring up the firewall right away once I'm done testing:
>
> [root at appd:~] #systemctl start firewalld
> [root at appd:~] #systemctl status firewalld
> firewalld.service - firewalld - dynamic firewall daemon
>    Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
>    Active: active (running) since Sat 2015-05-09 14:56:20 EDT; 7s ago
>  Main PID: 18826 (firewalld)
>    CGroup: /system.slice/firewalld.service
>            ??18826 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
>
> May 09 14:56:20 appd systemd[1]: Started firewalld - dynamic firewall
> daemon.
>
> Any ideas on what I'm doing wrong?
>
> Thanks,
> Tim
> --
> GPG me!!
>
> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
I saw that you are doing firewall-cmd --reload; however you did not had the
following:

firewall-cmd --permanent --zone=home --add-port=8181/tcp

The problem is you added the rule in runtime and when you reloaded it
removed the rule that you added; therefore you need to use --permanent or
do not reload.

Let me know if this helps.


-- 
Kind Regards
Earl Ramirez

Hi Earl,
>The problem is you added the rule in runtime and when you reloaded it
>removed the rule that you added; therefore you need to use --permanent
>or
>do not reload.
Thanks! That worked.

[root at appd:~] #firewall-cmd --zone=home --list-ports
[root at appd:~] #firewall-cmd --zone=home --add-port=8181/tcp --permanent
success
[root at appd:~] #firewall-cmd --reload
success
[root at appd:~] #firewall-cmd --zone=home --list-ports
8181/tcp

#telnet appd.mydomain.com 8181
Trying xx.xx.xx.xx...
Connected to appd.mydomain.com.
Escape character is '^]'.

On Sat, May 9, 2015 at 3:14 PM, Earl A Ramirez <earlaramirez at gmail.com>
wrote:
> On 9 May 2015 at 14:57, Tim Dunphy <bluethundr at gmail.com> wrote:
>
> > Hey all,
> >
> >  I'm having a little trouble opening up a port on a C7 machine.
> >
> >  Here's the default zone:
> >
> > [root at appd:~] #firewall-cmd --get-default-zone
> > home
> >
> > So I try to add the port:
> >
> > [root at appd:~] #firewall-cmd --zone=home --add-port=8181/tcp
> > success
> >
> > Then I reload firewalld:
> >
> > [root at appd:~] #firewall-cmd --reload
> > success
> >
> > Simple! That should do it. Right? Well not quite.
> >
> > Cuz when I telnet to that host on that port, it's not connecting:
> >
> > #telnet appd.mydomain.com 8181
> > Trying xx.xx.xx.xx... <---obscuring the real IP
> > telnet: connect to address xx.xx.xx.xx: Connection refused
> > telnet: Unable to connect to remote host
> >
> > Yet, that port is definitely listening on the host:
> >
> > [root at appd:~] #lsof -i :8181
> > COMMAND   PID USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
> > java    13423 root  333u  IPv6 3526508      0t0  TCP *:intermapper
> (LISTEN)
> >
> >
> > And if I stop the firewall momentarily :
> >
> > I can telnet to that port from a remote location:
> >
> > #telnet appd.mydomain.com 8181
> > Trying xx.xx.xx.xx...
> > Connected to appd.mydomain.com.
> > Escape character is '^]'.
> >
> > Of course I bring up the firewall right away once I'm done
testing:
> >
> > [root at appd:~] #systemctl start firewalld
> > [root at appd:~] #systemctl status firewalld
> > firewalld.service - firewalld - dynamic firewall daemon
> >    Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
> >    Active: active (running) since Sat 2015-05-09 14:56:20 EDT; 7s ago
> >  Main PID: 18826 (firewalld)
> >    CGroup: /system.slice/firewalld.service
> >            ??18826 /usr/bin/python -Es /usr/sbin/firewalld --nofork
> --nopid
> >
> > May 09 14:56:20 appd systemd[1]: Started firewalld - dynamic firewall
> > daemon.
> >
> > Any ideas on what I'm doing wrong?
> >
> > Thanks,
> > Tim
> > --
> > GPG me!!
> >
> > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > http://lists.centos.org/mailman/listinfo/centos
> >
>
> I saw that you are doing firewall-cmd --reload; however you did not had the
> following:
>
> firewall-cmd --permanent --zone=home --add-port=8181/tcp
>
> The problem is you added the rule in runtime and when you reloaded it
> removed the rule that you added; therefore you need to use --permanent or
> do not reload.
>
> Let me know if this helps.
>
>
> --
> Kind Regards
> Earl Ramirez
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>


-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B