On CentOS7 I have following firewalld setting. external (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: dns ftp http https imaps pop3s smtp ssh ports: 110/tcp 21/tcp 20000/tcp 106/tcp 53/tcp 990/tcp 5432/tcp 8447/tcp 113/tcp 143/tcp 3306/tcp 5224/tcp 22/tcp 465/tcp 995/tcp 25/tcp 10000/tcp 8443/tcp 993/tcp 443/tcp 8880/tcp 587/tcp 20/tcp 53/udp 12768/tcp protocols: masquerade: yes forward-ports: sourceports: icmp-blocks: rich rules: But by ss -nat, IPV4 443 is not listend. How can I fix? # ss -nat | grep LISTEN | grep 443 LISTEN 0 128 :::443 :::* Tadao
On Jul 27, 2017, at 9:36 PM, ???? <tadao at creative-japan.org> wrote:> > On CentOS7 I have following firewalld setting. > > external (active) > target: default > icmp-block-inversion: no > interfaces: eth0 > sources: > services: dns ftp http https imaps pop3s smtp ssh > ports: 110/tcp 21/tcp 20000/tcp 106/tcp 53/tcp 990/tcp 5432/tcp 8447/tcp > 113/tcp 143/tcp 3306/tcp 5224/tcp 22/tcp 465/tcp 995/tcp 25/tcp 10000/tcp > 8443/tcp 993/tcp 443/tcp 8880/tcp 587/tcp 20/tcp 53/udp 12768/tcp > protocols: > masquerade: yes > forward-ports: > sourceports: > icmp-blocks: > rich rules: > > But by ss -nat, IPV4 443 is not listend. How can I fix? > > # ss -nat | grep LISTEN | grep 443 > LISTEN 0 128 :::443 :::*Just because the firewall is open doesn?t mean the process listening on port 443 has to be running. It looks like your HTTPD server (I assume apache httpd?) isn?t listening on ipv4. This is not a firewall problem, but a configuration problem for the web server. -- Jonathan Billings <billings at negate.org>
Dear Jonathan, Thank you. Apache is running. And I can access by https(IPV4 443). Please tell me which configuration I need to check. Tadao 2017-07-28 10:52 GMT+09:00 Jonathan Billings <billings at negate.org>:> On Jul 27, 2017, at 9:36 PM, ???? <tadao at creative-japan.org> wrote: > > > > On CentOS7 I have following firewalld setting. > > > > external (active) > > target: default > > icmp-block-inversion: no > > interfaces: eth0 > > sources: > > services: dns ftp http https imaps pop3s smtp ssh > > ports: 110/tcp 21/tcp 20000/tcp 106/tcp 53/tcp 990/tcp 5432/tcp 8447/tcp > > 113/tcp 143/tcp 3306/tcp 5224/tcp 22/tcp 465/tcp 995/tcp 25/tcp 10000/tcp > > 8443/tcp 993/tcp 443/tcp 8880/tcp 587/tcp 20/tcp 53/udp 12768/tcp > > protocols: > > masquerade: yes > > forward-ports: > > sourceports: > > icmp-blocks: > > rich rules: > > > > But by ss -nat, IPV4 443 is not listend. How can I fix? > > > > # ss -nat | grep LISTEN | grep 443 > > LISTEN 0 128 :::443 :::* > > Just because the firewall is open doesn?t mean the process listening on > port 443 has to be running. It looks like your HTTPD server (I assume > apache httpd?) isn?t listening on ipv4. This is not a firewall problem, > but a configuration problem for the web server. > > -- > Jonathan Billings <billings at negate.org> > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >
On 07/27/2017 06:36 PM, ???? wrote:> But by ss -nat, IPV4 443 is not listend. How can I fix? > > # ss -nat | grep LISTEN | grep 443 > LISTEN 0 128 :::443 :::*By default, Linux processes that listen on an IPv6 port will also listen on the IPv4 port (when no specific address is specified): http://man7.org/linux/man-pages/man7/ipv6.7.html You could change that behavior by modifying /proc/sys/net/ipv6/bindv6only, but your system is working normally now.
Dear Gordon Messmer, Thank you. Please teach me one more. By 'firewall-cmd --list' its answer is following. external (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: dns ftp http https imaps pop3s smtp ssh ports: 110/tcp 21/tcp 20000/tcp 106/tcp 53/tcp 990/tcp 5432/tcp 8447/tcp 113/tcp 143/tcp 3306/tcp 5224/tcp 22/tcp 465/tcp 995/tcp 25/tcp 10000/tcp 8443/tcp 993/tcp 443/tcp 8880/tcp 587/tcp 20/tcp 53/udp 12768/tcp protocols: masquerade: yes forward-ports: sourceports: icmp-blocks: rich rules: Now I can use http normally. And 'ss -nat' shows 80 ports used. But in avobe firewalld lists, there's http service, but isn't 80/tcp.port. Must I add 80/tcp.port? Tadao 2017-07-28 11:29 GMT+09:00 Gordon Messmer <gordon.messmer at gmail.com>:> On 07/27/2017 06:36 PM, ???? wrote: > >> But by ss -nat, IPV4 443 is not listend. How can I fix? >> >> # ss -nat | grep LISTEN | grep 443 >> LISTEN 0 128 :::443 :::* >> > > > By default, Linux processes that listen on an IPv6 port will also listen > on the IPv4 port (when no specific address is specified): > > http://man7.org/linux/man-pages/man7/ipv6.7.html > > You could change that behavior by modifying /proc/sys/net/ipv6/bindv6only, > but your system is working normally now. > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >