Successful connect to a closed port with FirewallD

MSemochkin asked:

Please help to understand why FirewallD allows me to connect to one port but blocks the second.

There is a Docker container with transmission:

5cf144eed6f2        maksim77/transmission   "/bin/sh -c 'transmis"   14 hours ago        Up 16 minutes       0.0.0.0:9091->9091/tcp, 0.0.0.0:51413->51413/tcp   transmission

Both ports (9091 and 51413) are not listed in FirewallD rules:

root@host:maksim #firewall-cmd --list-all-zones | grep active
public (default, active)
trusted (active)

root@host:maksim #firewall-cmd --list-all --zone trusted
  trusted (active)
  interfaces: docker0
  sources:
  services:
  ports: 4243/tcp
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

root@host:maksim #firewall-cmd --list-all --zone public
  public (default, active)
  interfaces: enp9s0
  sources:
  services: dhcpv6-client ftp http ssh
  ports: 41387/tcp 1900/udp 50213/tcp 8200/tcp
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

But! The connection is successful for port 9091 but not for port 51413. Port 51413 is available only for 127.0.0.1

My answer:


You don’t see these in firewalld because Docker opens the ports itself, outside of firewalld.

To see what Docker is doing, run:

iptables -L DOCKER
iptables -t nat -L DOCKER

Docker will open firewall ports itself for any port your containers EXPOSE, unless you explicitly disable this. It also allows containers which need to communicate with each other to do so, so you should leave this enabled unless you really know what you’re doing.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.