Please help to understand why FirewallD allows me to connect to one port but blocks the second.
There is a Docker container with transmission:
5cf144eed6f2 maksim77/transmission "/bin/sh -c 'transmis" 14 hours ago Up 16 minutes 0.0.0.0:9091->9091/tcp, 0.0.0.0:51413->51413/tcp transmission
Both ports (9091 and 51413) are not listed in FirewallD rules:
root@host:maksim #firewall-cmd --list-all-zones | grep active public (default, active) trusted (active) root@host:maksim #firewall-cmd --list-all --zone trusted trusted (active) interfaces: docker0 sources: services: ports: 4243/tcp masquerade: no forward-ports: icmp-blocks: rich rules: root@host:maksim #firewall-cmd --list-all --zone public public (default, active) interfaces: enp9s0 sources: services: dhcpv6-client ftp http ssh ports: 41387/tcp 1900/udp 50213/tcp 8200/tcp masquerade: no forward-ports: icmp-blocks: rich rules:
But! The connection is successful for port 9091 but not for port 51413. Port 51413 is available only for 127.0.0.1
You don’t see these in firewalld because Docker opens the ports itself, outside of firewalld.
To see what Docker is doing, run:
iptables -L DOCKER iptables -t nat -L DOCKER
Docker will open firewall ports itself for any port your containers
EXPOSE, unless you explicitly disable this. It also allows containers which need to communicate with each other to do so, so you should leave this enabled unless you really know what you’re doing.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.