So yeah, configuring Fedora 20’s firewall-cmd. Tried to limit inbound traffic to only http, https, and ssh. However, the machine still responds to pings, and the –get-service command shows a laundry list of things I do not use.
Why the disconnect?
Is the –get-service command accurate, or is the –list-services command accurate?
If the latter, why does ping get through?
[root@build-node httpd]# firewall-cmd --get-service amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https [root@build-node httpd]# firewall-cmd --get-active-zone public interfaces: eth0 eth1 eth2 [root@build-node httpd]# firewall-cmd --zone=public --list-services http https ssh
Additionally, excerpts from iptables -L -n.
Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 INPUT_direct all -- 0.0.0.0/0 0.0.0.0/0 INPUT_ZONES_SOURCE all -- 0.0.0.0/0 0.0.0.0/0 INPUT_ZONES all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain INPUT_ZONES (1 references) target prot opt source destination IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] IN_public all -- 0.0.0.0/0 0.0.0.0/0 [goto] Chain IN_public_allow (1 references) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 ctstate NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 ctstate NEW ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 ctstate NEW
--get-service shows all services that firewalld is aware of, not those that you have opened ports for.
--list-services shows those that you have opened ports for.
You can see in the
iptables listing that only ports 22, 80 and 443 are open, which is what you said you wanted.
Finally, about pings: All ICMP is allowed by default with firewalld (as it’s usually a bad idea to block it unless you really know what you’re doing). If you truly want to “block pings” then you have to do so explicitly. You can use
--get-icmptypes to see the list of ICMP types that firewalld knows about, and
--add-icmp-block to block one of them. Be sure you’re on the console of the machine in case you lock yourself out.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.