Dear Gordon Messmer, Thank you. Please teach me one more. By 'firewall-cmd --list' its answer is following. external (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: dns ftp http https imaps pop3s smtp ssh ports: 110/tcp 21/tcp 20000/tcp 106/tcp 53/tcp 990/tcp 5432/tcp 8447/tcp 113/tcp 143/tcp 3306/tcp 5224/tcp 22/tcp 465/tcp 995/tcp 25/tcp 10000/tcp 8443/tcp 993/tcp 443/tcp 8880/tcp 587/tcp 20/tcp 53/udp 12768/tcp protocols: masquerade: yes forward-ports: sourceports: icmp-blocks: rich rules: Now I can use http normally. And 'ss -nat' shows 80 ports used. But in avobe firewalld lists, there's http service, but isn't 80/tcp.port. Must I add 80/tcp.port? Tadao 2017-07-28 11:29 GMT+09:00 Gordon Messmer <gordon.messmer at gmail.com>:> On 07/27/2017 06:36 PM, ???? wrote: > >> But by ss -nat, IPV4 443 is not listend. How can I fix? >> >> # ss -nat | grep LISTEN | grep 443 >> LISTEN 0 128 :::443 :::* >> > > > By default, Linux processes that listen on an IPv6 port will also listen > on the IPv4 port (when no specific address is specified): > > http://man7.org/linux/man-pages/man7/ipv6.7.html > > You could change that behavior by modifying /proc/sys/net/ipv6/bindv6only, > but your system is working normally now. > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >
Am 30.07.2017 um 07:06 schrieb ????:> Please teach me one more. > By 'firewall-cmd --list' its answer is following. > > external (active) > target: default > icmp-block-inversion: no > interfaces: eth0 > sources: > services: dns ftp http https imaps pop3s smtp ssh > ports: 110/tcp 21/tcp 20000/tcp 106/tcp 53/tcp 990/tcp 5432/tcp 8447/tcp > 113/tcp 143/tcp 3306/tcp 5224/tcp 22/tcp 465/tcp 995/tcp 25/tcp 10000/tcp > 8443/tcp 993/tcp 443/tcp 8880/tcp 587/tcp 20/tcp 53/udp 12768/tcp > protocols: > masquerade: yes > forward-ports: > sourceports: > icmp-blocks: > rich rules: > > Now I can use http normally. > And 'ss -nat' shows 80 ports used. > > But in avobe firewalld lists, there's http service, but isn't 80/tcp.port. > Must I add 80/tcp.port? > > TadaoHi, you can define rule either by using services or ports. You have partly doubled that config by using both a service definition and a port definition. For instance service ssh and port 22/tcp. Same for smtp and port 25. You find the list of pre-defined services under /usr/lib/firewalld/services/. To give you an example. You can define # firewall-cmd --permanent --zone=public --add-service=http which enables port 80/tcp for the public zone. You can check how the service is defined by # firewall-cmd --info-service=http You could achieve the same port opening by issuing firewall-cmd --zone=public --add-port=80/tcp More or less a matter of taste how to define things. But you better avoid causing doubled rules. See your "iptables -L -n -v --line" output and you'll find multiple rules defined 2 times. Alexander
Dear Alexander, Thank you. Tadao 2017-07-31 1:25 GMT+09:00 Alexander Dalloz <ad+lists at uni-x.org>:> Am 30.07.2017 um 07:06 schrieb ????: > >> Please teach me one more. >> By 'firewall-cmd --list' its answer is following. >> >> external (active) >> target: default >> icmp-block-inversion: no >> interfaces: eth0 >> sources: >> services: dns ftp http https imaps pop3s smtp ssh >> ports: 110/tcp 21/tcp 20000/tcp 106/tcp 53/tcp 990/tcp 5432/tcp >> 8447/tcp >> 113/tcp 143/tcp 3306/tcp 5224/tcp 22/tcp 465/tcp 995/tcp 25/tcp 10000/tcp >> 8443/tcp 993/tcp 443/tcp 8880/tcp 587/tcp 20/tcp 53/udp 12768/tcp >> protocols: >> masquerade: yes >> forward-ports: >> sourceports: >> icmp-blocks: >> rich rules: >> >> Now I can use http normally. >> And 'ss -nat' shows 80 ports used. >> >> But in avobe firewalld lists, there's http service, but isn't >> 80/tcp.port. >> Must I add 80/tcp.port? >> >> Tadao >> > > Hi, > > you can define rule either by using services or ports. You have partly > doubled that config by using both a service definition and a port > definition. For instance service ssh and port 22/tcp. Same for smtp and > port 25. > > You find the list of pre-defined services under > /usr/lib/firewalld/services/. > > To give you an example. You can define > > # firewall-cmd --permanent --zone=public --add-service=http > > which enables port 80/tcp for the public zone. You can check how the > service is defined by > > # firewall-cmd --info-service=http > > You could achieve the same port opening by issuing > > firewall-cmd --zone=public --add-port=80/tcp > > More or less a matter of taste how to define things. But you better avoid > causing doubled rules. > > See your "iptables -L -n -v --line" output and you'll find multiple rules > defined 2 times. > > Alexander > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >