Non default SSH ports not automatically applied to FirewallD

3 posts / 0 new
Last post
#1 Thu, 04/19/2018 - 05:57
Pit

Non default SSH ports not automatically applied to FirewallD

Hi,

when changing the SSH port from default (22) to anything other in 'Webmin - Servers - SSH Server- Networking' and applying the configuration, new connections are propperly allow on the given port.

After a restart however the ssh connection no longer work, as the buld in FirwalleD still only allows connections via port 22.

First question: Why does it not block connection to any other port aftern simply changing the port? Second question: Why does it block again after reboot? Third question: Should a change of the ssh port not automatically trigger a change in FirewallD ( or at least warn the user to change it manually)?

As far as I understand /usr/lib/firewalld/services/ssh.xml defines the default port, but could be overwritten by writing the right stuff in /etc/firewalld/services/ssh.xml ? So why not automatically create that file with the setting entered when changing the port?

Operating system Ubuntu Linux 16.04.4 Webmin version 1.881 Usermin version 1.741 Virtualmin version 6.02-3

Thu, 04/19/2018 - 11:07
scotwnw

I dont see how you're 1st sentence is possible. SSH in on new port without it being open on firewall? Either SSH didnt get restarted or firewall was not up at all. Seems to me anyway.

SSH service and firewall service are two totally different programs. If you change the ssh listening port, its your responsibility to also allow that port through the firewall manually. SSH has no idea a firewall exists and is not required for SSH to run. Admin/security is responsible for firewall.

And its Probably best for security reasons to NOT allow programs to change firewall settings automatically. Just adds another failure/hack point.

Plus, automatically changing firewall ports or anything to do with networking can cause issues with existing users or connections. So best done manually. Although I see your point and have locked myself out many times doing exactly what you've done.

Fri, 04/20/2018 - 06:07
Pit

Could it be that the firewall was only activated after the reboot? SSH was restarted for sure, and working on the new port before the reboot.

I now understand the possible consequences of automatically changing firewall rules, and yes it would probably not be a good idea …

Topic locked