Solved How to use firewall-cmd to verify that tcp 80 & 443 is open?

scottalanmiller

Under normal circumstances, you just use the firewall tool and stop at that. If someone did anything else, they are trying to hide things from you. Compare to Windows, you'd not look any further than the Windows firewall if it is running, right? You don't dig for extra tools or registry entries. Could they exist? Of course. If they do, you probably need to rebuild pristine and start over as you have a system you can't really know.

marcinozga

Why don't you just look in /etc/firewalls/zones/? Each zone has an xml file there, with list of ports and services that are permanently open.

scottalanmiller

@marcinozga said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:

Why don't you just look in /etc/firewalls/zones/? Each zone has an xml file there, with list of ports and services that are permanently open.

Because that's way more work and tells him nothing the one line command wouldn't have summarized.

JaredBusch

@scottalanmiller said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:

His concern is that the system wasn't built by him, so he's trying to find every possible source of configuration.

That was not clear to me.

But I would still stand by my statement. You look where it is supposed to be with the default tool. If it is not, then it is a snowflake and you need to rectify that. Snowflakes are bad.

1337

@scottalanmiller said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:

@JaredBusch said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:

@Pete-S You are over complicating this.

You check with the designated tool for the system as noted.

Either you see it is open or you see it is not.

If something is working but nothing is found, then you have either a compromised system or a snowflake system. Either way the system would need fixed.

His concern is that the system wasn't built by him, so he's trying to find every possible source of configuration.

That's correct.

1337

You guys are right though. It's complicated looking at every possible way to configure the firewall so it makes sense to test the "normal" way and leave it at that.

One thing that would be nice to have, something that I've used on hardware firewalls, is a command that will simulate packets through the firewall rules to see if they will pass or not.

I've not seen something like that for iptables/netfilter.

scottalanmiller

@Pete-S said in How to use firewall-cmd to verify that tcp 80 & 443 is open?:

One thing that would be nice to have, something that I've used on hardware firewalls, is a command that will simulate packets through the firewall rules to see if they will pass or not.
I've not seen something like that for iptables/netfilter.

Not sure about simulating, but you can always send packets at it and use iptables -v to see the counters.