Fedora's firewall-cmd shows more available services than configured

user2700751 asked:

So yeah, configuring Fedora 20’s firewall-cmd. Tried to limit inbound traffic to only http, https, and ssh. However, the machine still responds to pings, and the –get-service command shows a laundry list of things I do not use.

Why the disconnect?

Is the –get-service command accurate, or is the –list-services command accurate?

If the latter, why does ping get through?

[root@build-node httpd]# firewall-cmd --get-service
amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https
[root@build-node httpd]# firewall-cmd --get-active-zone
  interfaces: eth0 eth1 eth2
[root@build-node httpd]# firewall-cmd --zone=public --list-services
http https ssh

Additionally, excerpts from iptables -L -n.

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --              ctstate RELATED,ESTABLISHED
ACCEPT     all  --  
INPUT_direct  all  --  
INPUT_ZONES  all  --  
ACCEPT     icmp --  
REJECT     all  --              reject-with icmp-host-prohibited

Chain INPUT_ZONES (1 references)
target     prot opt source               destination
IN_public  all  --             [goto]
IN_public  all  --             [goto]
IN_public  all  --             [goto]
IN_public  all  --             [goto]

Chain IN_public_allow (1 references)
target     prot opt source               destination
ACCEPT     tcp  --              tcp dpt:80 ctstate NEW
ACCEPT     tcp  --              tcp dpt:443 ctstate NEW
ACCEPT     tcp  --              tcp dpt:22 ctstate NEW

My answer:

--get-service shows all services that firewalld is aware of, not those that you have opened ports for.

--list-services shows those that you have opened ports for.

You can see in the iptables listing that only ports 22, 80 and 443 are open, which is what you said you wanted.

Finally, about pings: All ICMP is allowed by default with firewalld (as it’s usually a bad idea to block it unless you really know what you’re doing). If you truly want to “block pings” then you have to do so explicitly. You can use --get-icmptypes to see the list of ICMP types that firewalld knows about, and --add-icmp-block to block one of them. Be sure you’re on the console of the machine in case you lock yourself out.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.