Opening port 3000, added rules to firewalld : Solved?

[knackwurst]

Please read my followup on this, I was able to finally accept a connection on 3000, though am still unsure why my zone seems ignored and I must explicitly add the port.

I am trying to receive a connection on port 3000 which I have configured using firewall-cmd. netstat says node is listening to that port, nmap also says port 3000 is open when run from the centos 7 machine. I created a custom service node.xml located in /etc/firewalld/services/node.xml, created a custom zone called node, added the service node to the zone node and followed up with a firewall-cmd --reload. From outside the server is not responding to port 3000, nmap -p 3000 myhost gives me Note: Host seems down... and using a publicly available port checker t1shopper.com says isn't responding on port 3000 (hbci) I did notice that when I do firewall-cmd --zone=node --list-services no ports are listed, though I think my xml service file node.xml is correct and it appears to be added. I am at a loss for how to troubleshoot this further. Seems others on this form have posted about problems with port 3000 in the past, one was dealing with adding a rule to selinux but mine seems disabled. Can someone point me in the right direction as to why I cannot connect to this port from outside the network?

I did some checking and it seems SELinux is disabled, acording to

Code: Select all

# getenforce
Disabled
# sestatus
SELinux status:                 disabled

Netstat seems to indicate that node is listening...

netstat -ltnp | grep -w ':3000'

Code: Select all

tcp6       0      0 :::3000                 :::*                    LISTEN      10993/node 

Code: Select all

# firewall-cmd --zone=node --list-services
node

Code: Select all

# firewall-cmd --zone=node --list-all
node
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: node
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

[knackwurst]

Seems to work OK if I firewall-cmd --permanent --add-port=3000/tcp by which I mean it will now accept incoming connections on that port. I am curious as to why it apears to have been ignoring my custom zone / service. Perhaps it is related to this bug https://bugs.centos.org/view.php?id=7526 as reading through documentation online led me to believe I could do this, have both public and node zones on eth0. I guess this is solved unless someone can contribute as to the reasoning my feeble attempt at networking failed.

[hunter86_bg]

You have to paste your service here in order to be reviewed by others.
Usually I take a copy of existing one and edit as per my needs.

[TrevorH]

Bug 7526 is very old and I am fairly sure it was fixed in around 7.3.

When using your xml file, do you get any output from iptables-save | grep 3000 ?

[jlehtone]

have both public and node zones on eth0.

A) No. A zone can have multiple interfaces, but an interface has only one zone.
B) Why more than one?

To change the interface of a zone:

Code: Select all

nmcli con mod eth0 connection.zone myzone

To define a service:

Code: Select all

firewall-cmd --new-service=myprog
firewall-cmd --permanent --service=myprog --set-description="Totally awesome myprog"
firewall-cmd --permanent --service=myprog --add-port=3000/tcp

To use service on zone:

Code: Select all

firewall-cmd --permanent --zone=public --add-service=myprog
firewall-cmd --reload