2

Redis Quick Start states:

Make sure the port Redis uses to listen for connections (by default 6379 and additionally 16379 if you run Redis in cluster mode, plus 26379 for Sentinel) is firewalled, so that it is not possible to contact Redis from the outside world.

Is there a short command to check if the ports are firewalled?

Typically, I have ufw installed on the hosts (almost always Ubuntu), but not nmap.

Majid Fouladpour
  • 269
  • 4
  • 19

3 Answers3

5
for port in 6379 16379 26379;do nc -zv 127.0.0.1 $port;done

Ofcause, you should use another server to check your firewall from the outside and not from the localhost to be sure that apps are blocked.

Alexander Makarenko
  • 615
  • 4
  • 10
2

a short command to check if the ports are firewalled?

No

Not reliably or conclusively from either only the host offering a service or the client. Please not that in addition to host based firewalls there may also be firewalls and access controls in the network path between a client and server.

From the client you can try and set up a connection to the correct port on the host offering a service. (Typically a telnet host port, nc -vz host port or openssl s_client -connect host:port etc. for TCP services.)

If you can successfully establish a connection: either there is indeed no firewall, or the connection is white-listed in the firewall(s). The latter is a big distinction, as there may be other controls in the firewall that may impact your performance at a later time such as for instance rate limiting, intrusion detection etc.

If no connection can be established, with a bit of luck you get a connection refused error message. Our canonical connection refused Q&A explains in detail on how to proceed from there to determine if the problem is that the host offering the service is not configured correctly or if indeed a firewall is blocking the connection (or both).

If no connection can be established and you get a connection time-out, that may be firewall that is blocking the connection by dropping the connection attempt rather than rejecting it politely, but it could also be a routing problem, a hostname resolving to an incorrect IP-address or something else.

HBruijn
  • 72,524
  • 21
  • 127
  • 192
  • In this context the client is on the same machine and the host should be completely inaccessible from outside. If I understand your points, you are basically saying the inability to establish a connection from outside should not be considered as a guarantee that the ports are properly firewalled, because something else might be the cause and eventually get fixed exposing the ports to outside world. Right? – Majid Fouladpour Oct 19 '17 at 17:36
  • Partly that. - Also if you are running a local firewall on the host, you can display the config with for instance `iptables-save` or `iptables -L -v -n` but you will need to investigate the complete config as there is no guarantee that although the relevant ports are mentioned explicitly in a block rule they still could be opened by an implicit rule. - On the other hand when the service is bound to listen only on 127.0.0.1:6379 and doesn't listen to *:6379 or 0.0.0.0:6379 then the service won't be available from the network/internet, regardless of firewalls. – HBruijn Oct 20 '17 at 11:17
1

you can use netcat or telnet to check if port is open from some external machine.

Martynas Saint
  • 1,211
  • 7
  • 15