firewalld has 443 enabled but it refuses connections

Question

I'm on centos 7 using firewalld.

I've configured firewalld so 443 is open:

$ sudo firewall-cmd --zone=public --permanent --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: couchdb2 dhcpv6-client http https ssh
  ports: 443/tcp 5984/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 

$ sudo firewall-cmd --zone=public --add-port=443/tcp --permanent
Warning: ALREADY_ENABLED: 443:tcp
success

apparently port 443 is open, but ...

$ curl https://127.0.0.1:443
curl: (7) Failed connect to 127.0.0.1:443; Connection refused

I also test it using the web tool at http://www.yougetsignal.com/tools/open-ports/

I type in my IP address and port 443 and get: Closed Port 443 is closed on {my-ip}

What could be going wrong? It seems to open and yet it isn't.

I query netstat with this result:

$ sudo netstat -lnp | grep 443
udp        0      0 127.0.0.1:323           0.0.0.0:*                           
443/chronyd         
udp6       0      0 ::1:323                 :::*                                
443/chronyd

Once I fixed my nginx.conf to properly listen to 443 the result looked like:

$ sudo netstat -lnp | grep 443
tcp        0      0 0.0.0.0:443             0.0.0.0:*               
LISTEN      10197/nginx: master 
tcp6       0      0 :::443                  :::*                    
LISTEN      10197/nginx: master 
udp        0      0 127.0.0.1:323           0.0.0.0:*                           
443/chronyd         
udp6       0      0 ::1:323                 :::*                                
443/chronyd

It's better to include the leading colon when you're looking for a specific port. (i.e. "sudo netstat -lnp | grep :443") The output you've shown only matches because chronyd happens to have process id 443. — Paul Gear, Jul 04 '17 at 22:50
**Check points** 1. Port should be allowed on network (Firewalld/iptables/net etc) 2. Server should listen the port (apache2.conf/httpd.conf etc) — Amit Panasara, Feb 23 '19 at 11:06

Khaled · Accepted Answer · 2017-07-05T07:31:50.777

5

The error Connection refused usually means the firewall allowed the packets to get through (unless the firewall is actively rejecting the connection attempt), but there is no service listening on the destined port number.

In your case, you need to make sure an HTTPs web server is running and listening port 443. You can use the following command to verify.

sudo netstat -lnp | grep 443

Edit: As commented by @Paul, the shown output means there is no process listening on port 443. The output is irrelevant because the process ID matched 443 and we need it to match with port number of TCP protocol. You need to find a line similar to:

tcp  0   0 0.0.0.0:443      0.0.0.0:*     LISTEN      <pid>/<proc_name>

edited Jul 05 '17 at 07:31

answered Jul 04 '17 at 08:33

Khaled

35,688
8
69
98

This, and additionally, some cloud services like Amazon AWS have their own firewall/security systems where you need to open the ports there too. In AWS EC2 you have security groups where you need to again specify who you allow where. – JayMcTee Jul 04 '17 at 11:02
@JayMcTee I'm not on AWS, I'm using bare metal CentOS 7 – WebSnake Jul 04 '17 at 21:12
@Khaled I'm using nginx as my webserver, and its configured using the nginx.conf and a sites-enabled module to listen to 443. Is that what you mean? My netstat output is added to your answer above – WebSnake Jul 04 '17 at 21:12
@Khaled Not sure if you can see my output above yet. Its says it has to be peer reviewed. I'll put it here too with crappy formatting: 'code'udp 0 0 127.0.0.1:323 0.0.0.0:* 443/chronyd udp6 0 0 ::1:323 :::* 443/chronyd 'code' – WebSnake Jul 04 '17 at 21:14
@Khaled you can read the output better in the Question itself now – WebSnake Jul 04 '17 at 21:18
@Khaled Yes, it was my nginx.conf that needed fixing. I was confident I had it right and I did, but the wrong file got copied to the server. :-/ Sorry to waste your time. – WebSnake Jul 12 '17 at 22:59

score 0 · Answer 2 · answered Jul 05 '17 at 10:12

0

You need to reload firewalld after you add a rule with --permanent or you have to rerun the command without --permanent.

When you say --permanent firewalld just updates the configuration, but doesn't reload it.

answered Jul 05 '17 at 10:12

Andreas Rogge

2,670
10
24

$ sudo firewall-cmd --zone=public --permanent --list-all appears to reflect the current state, not just the config. I experimented with closing and opening the port. But reloading the config didn't change anything. – WebSnake Jul 12 '17 at 21:25
It turned out to just be my nginx.conf – WebSnake Jul 12 '17 at 23:03

firewalld has 443 enabled but it refuses connections

2 Answers2