0

I am running Red Hat Enterprise Linux 7.9, where I'm trying to block docker-proxy TCP port 5000 via firewall-cmd. I am using the default public zone as the only active zone and have tried the following individually and in combination:

  1. Removed port 5000 from the public zone.
  2. Added a rich-rule to reject all traffic to port 5000.

Still, when I telnet from a different host, it says "Connected to <FQDN>". This behavior is seen only for port 5000. Other ports, such as 443 obey the firewall rules as expected.

Here is my firewall configuration:

[root@<hostname> ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens160
  sources:
  services: dhcpv6-client ssh
  ports: 8472/udp 22/tcp 443/tcp 2376/tcp 2379-2380/tcp 6443/tcp 1300-3000/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" port port="5000" protocol="tcp" reject
        rule family="ipv6" port port="5000" protocol="tcp" reject

Here is docker-proxy listening on it:

[root@<hostname> ~]# netstat -tnlp | grep 5000
tcp6       0      0 :::5000                 :::*                    LISTEN      3541/docker-proxy

Any help is appreciated.

Dibakar Aditya
  • 101
  • 2
  • Docker generates and maintains its own firewall rules - depending on which version you have it may integrate with firewalld https://docs.docker.com/network/iptables/#integration-with-firewalld – Bob Mar 08 '21 at 07:50
  • @HermanB Thanks, I am using `Docker 19.03.12` and don't have a firewalld zone called `docker`. That means there is no firewalld integration here. I also have only one active zone `public` and the interface `docker0` is not attached to this zone (or any zone). How shall I restrict access to this port in this case? – Dibakar Aditya Mar 08 '21 at 08:07
  • 1
    In older versions docker maintains its own firewall rules outside of the firewalld framework (you will see them when using the lower level iptables tools) - but in general when you use docker to expose the port you also need to use docker to prevent that. – Bob Mar 08 '21 at 09:02
  • Are you sure you showed us whole firewalld rules? Did it list rules from all zones? – Jiri B Mar 08 '21 at 09:39
  • See a longer explanation here https://serverfault.com/a/995056/546643 – Bob Mar 08 '21 at 10:19
  • Yes, that's the only active zone. – Dibakar Aditya Mar 08 '21 at 12:47

0 Answers0