4

I'm on centos 7 using firewalld.

I've configured firewalld so 443 is open:

$ sudo firewall-cmd --zone=public --permanent --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: couchdb2 dhcpv6-client http https ssh
  ports: 443/tcp 5984/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 

$ sudo firewall-cmd --zone=public --add-port=443/tcp --permanent
Warning: ALREADY_ENABLED: 443:tcp
success

apparently port 443 is open, but ...

$ curl https://127.0.0.1:443
curl: (7) Failed connect to 127.0.0.1:443; Connection refused

I also test it using the web tool at http://www.yougetsignal.com/tools/open-ports/

I type in my IP address and port 443 and get: Closed Port 443 is closed on {my-ip}

What could be going wrong? It seems to open and yet it isn't.

I query netstat with this result:

$ sudo netstat -lnp | grep 443
udp        0      0 127.0.0.1:323           0.0.0.0:*                           
443/chronyd         
udp6       0      0 ::1:323                 :::*                                
443/chronyd

Once I fixed my nginx.conf to properly listen to 443 the result looked like:

$ sudo netstat -lnp | grep 443
tcp        0      0 0.0.0.0:443             0.0.0.0:*               
LISTEN      10197/nginx: master 
tcp6       0      0 :::443                  :::*                    
LISTEN      10197/nginx: master 
udp        0      0 127.0.0.1:323           0.0.0.0:*                           
443/chronyd         
udp6       0      0 ::1:323                 :::*                                
443/chronyd
WebSnake
  • 43

2 Answers2

5

The error Connection refused usually means the firewall allowed the packets to get through (unless the firewall is actively rejecting the connection attempt), but there is no service listening on the destined port number.

In your case, you need to make sure an HTTPs web server is running and listening port 443. You can use the following command to verify.

sudo netstat -lnp | grep 443

Edit: As commented by @Paul, the shown output means there is no process listening on port 443. The output is irrelevant because the process ID matched 443 and we need it to match with port number of TCP protocol. You need to find a line similar to:

tcp  0   0 0.0.0.0:443      0.0.0.0:*     LISTEN      <pid>/<proc_name>
Khaled
  • 37,789
0

You need to reload firewalld after you add a rule with --permanent or you have to rerun the command without --permanent.

When you say --permanent firewalld just updates the configuration, but doesn't reload it.

Andreas Rogge
  • 3,018