PDA

View Full Version : SLES 12 SP1 Port is always blocked by the firewall



dn312sr
21-Jul-2016, 15:41
I'm trying to do a remote install of Acronis Backup on my SLES box. Amongst others, it requires port 9876 to be open.
In YaSt firewall, I've added 9876 to 'Allowed Services' -> Advanced (TCP) and restarted the firewall.
9876 is added to the FW_SERVICES_EXT_UDP variable in /etc/sysconfig/SuSEfirewall2.

When I do a port scan of my network for port 9876 using Angry IP Scanner, I can see 9876 open on other nodes, but not on my SLES machine.

If I execute 'iptables -L | grep 9876' it returns nothing.

If I turn off the firewall in YaST, 9876 is still closed to the port scanner.

Any ideas?

Many thanks,

Gary

jmozdzen
21-Jul-2016, 16:39
Hi Gary,

> I've added 9876 to 'Allowed Services' -> Advanced (TCP) and restarted the firewall
> 9876 is added to the FW_SERVICES_EXT_UDP

that looks strange - should that read FW_SERVICES_EXT_TCP?

> If I execute 'iptables -L | grep 9876' it returns nothing.

likely the rules a reported with a port name of "sd". Run "iptables -L -n | grep 9876" instead.

> If I turn off the firewall in YaST, 9876 is still closed to the port scanner.

Is the according Acronis service running on your server? Does "lsof -i4 -P|grep 9876" list a process having that port open at the time you're scanning the server?

Regards,
J

dn312sr
22-Jul-2016, 09:47
Hi Jens,

Thanks for the reply


Hi Gary,

> I've added 9876 to 'Allowed Services' -> Advanced (TCP) and restarted the firewall
> 9876 is added to the FW_SERVICES_EXT_UDP

that looks strange - should that read FW_SERVICES_EXT_TCP?

Yes, sorry that was a typo in the posting - it was indeed FW_SERVICES_EXT_TCP that was in the file

> If I execute 'iptables -L | grep 9876' it returns nothing.

likely the rules a reported with a port name of "sd". Run "iptables -L -n | grep 9876" instead.

linux-9w5j:~ # iptables -L -n | grep 9876
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:9876 flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INext-ACC-TCP "
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9876
linux-9w5j:~ #


> If I turn off the firewall in YaST, 9876 is still closed to the port scanner.

Is the according Acronis service running on your server? Does "lsof -i4 -P|grep 9876" list a process having that port open at the time you're scanning the server?

linux-9w5j:~ # lsof -i4 -P | grep 9876
linux-9w5j:~ #

This is the problem - Acronis can't actual do the installation because the port was closed, so there's no Acronis software running on the machine at all

Regards,
J

Best regards,

Gary

jmozdzen
22-Jul-2016, 10:13
Hi Gary,

> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:9876

seems your firewall is set up correctly - while we don't see the exact chain the "ACCEPT" rule is placed into, it's there at all and likely in the right place. IF you add "-v" to the iptables invocation, you'll see the number of hits as well. Once the software is started and clients connect to your machine, numbers should be increasing for this rule.

> This is the problem - Acronis can't actual do the installation because the port was closed, so there's no Acronis software running on the machine at all

I'm a bit picky on words here - Acronis should fail if the port is *open*, because then the port already is in use by some other daemon. But of course it may have failed because the port was *blocked* for incoming traffic by the firewall at the time of the installation. If Acronis offers no mechanism to pick up at that step, you may as well need to re-install it.

But: A port blocked by the firewall usually doesn't affect server software installations - from the server software's POV, all network sockets can be opened and are in listening state. It's just that no traffic from remotes will reach the server software. The only time this will be a problem is when that piece of software you're installing, depends on some remote service to connect to the installer (or a later stage of it), i.e. for configuration updates. But then, it's the same as if the remote isn't reachable for any other reason, i.e. because you're installing in a separate, isolated installation environment, rather than in the final production environment.

Regards,
J